Software supply chain attacks have increased dramatically, targeting dependencies, build systems, and distribution channels. Software Bill of Materials (SBOM) and Supply-chain Levels for Software Artifacts (SLSA) provide frameworks for securing the software supply chain.
Supply Chain Attack Vectors
- Dependency Confusion: Malicious packages with internal names
- Typosquatting: Packages with similar names to popular ones
- Compromised Build Systems: Injecting malware during build
- Stolen Credentials: Publishing malicious updates
Generating SBOM with Syft
# Generate SBOM for container image
syft packages myapp:latest -o spdx-json > sbom.spdx.json
# Generate SBOM for source directory
syft dir:. -o cyclonedx-json > sbom.cyclonedx.json
# GitHub Actions integration
name: Generate SBOM
on: [push]
jobs:
sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
image: myapp:${{ github.sha }}
format: spdx-json
output-file: sbom.spdx.json
- name: Upload SBOM
uses: actions/upload-artifact@v3
with:
name: sbom
path: sbom.spdx.jsonSLSA Build Provenance
# GitHub Actions - SLSA Level 3 provenance
name: SLSA Build
on: [push]
jobs:
build:
runs-on: ubuntu-latest
outputs:
digest: ${{ steps.build.outputs.digest }}
steps:
- uses: actions/checkout@v4
- name: Build and push
id: build
uses: docker/build-push-action@v5
with:
push: true
tags: ghcr.io/org/app:${{ github.sha }}
provenance:
needs: build
permissions:
id-token: write
contents: read
actions: read
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
with:
image: ghcr.io/org/app
digest: ${{ needs.build.outputs.digest }}
secrets:
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.GITHUB_TOKEN }}Sigstore Signing
# Sign container image with Cosign
cosign sign --key cosign.key ghcr.io/org/app:v1.0.0
# Keyless signing with OIDC
cosign sign ghcr.io/org/app:v1.0.0
# Verify signature
cosign verify --key cosign.pub ghcr.io/org/app:v1.0.0
# Attach SBOM to image
cosign attach sbom --sbom sbom.spdx.json ghcr.io/org/app:v1.0.0
# Sign the SBOM
cosign sign --attachment sbom ghcr.io/org/app:v1.0.0Kubernetes Policy Enforcement
# Kyverno policy - require signed images
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-image-signature
spec:
validationFailureAction: Enforce
background: false
rules:
- name: verify-signature
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "ghcr.io/org/*"
attestors:
- entries:
- keyless:
subject: "https://github.com/org/*"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.devDependency Lock Files
# Python - pip-tools for reproducible builds
pip-compile requirements.in --generate-hashes
# Node.js - npm with integrity
npm ci --ignore-scripts
# Go - verify checksums
go mod verify
# Renovate config for automated updates
{
"extends": ["config:base"],
"vulnerabilityAlerts": {
"enabled": true
},
"packageRules": [
{
"matchUpdateTypes": ["patch", "minor"],
"automerge": true
}
]
}Private Registry Security
# Terraform - ECR with scanning
resource "aws_ecr_repository" "app" {
name = "app"
image_tag_mutability = "IMMUTABLE"
image_scanning_configuration {
scan_on_push = true
}
encryption_configuration {
encryption_type = "KMS"
kms_key = aws_kms_key.ecr.arn
}
}
resource "aws_ecr_lifecycle_policy" "app" {
repository = aws_ecr_repository.app.name
policy = jsonencode({
rules = [{
rulePriority = 1
description = "Keep last 10 images"
selection = {
tagStatus = "any"
countType = "imageCountMoreThan"
countNumber = 10
}
action = {
type = "expire"
}
}]
})
}Conclusion
Software supply chain security requires a multi-layered approach including SBOM generation, build provenance, artifact signing, and policy enforcement. By implementing SLSA practices and using tools like Sigstore, organizations can significantly reduce supply chain risks.
