Glossary

Software Supply Chain Security

Supply-chain security protects everything your software depends on but doesn't write — open-source packages, build tools, CI pipelines, and base images — from compromise, because an attacker who poisons a dependency or a build step compromises every downstream user at once.

Your application's attack surface is far larger than your own repository. It includes every dependency you pull, every GitHub Action in your workflows, every base image in your Dockerfiles, and the CI system that assembles them. Software supply-chain security is the practice of defending that whole chain.

The threat is leverage. Compromising one popular package, one unpinned Action, or one build server can reach thousands of downstream projects automatically — as the SolarWinds, Codecov, and event-stream incidents all showed. The attacker doesn't need to breach you; they breach something you trust.

Defences are concrete: pin dependencies and Actions to immutable versions (a commit SHA, not a moving tag), generate and verify an SBOM, scan for known-vulnerable packages, lock down CI permissions so a poisoned step can't exfiltrate secrets, and watch for typosquatted or newly-malicious packages.

How GateTest handles it

Several GateTest modules target the supply chain directly: dependencies (vulnerable / wildcard / unpinned packages), ci-security (unpinned Actions, pwn-request, secret-echo, missing permissions blocks), dockerfile (untrusted base images, curl-pipe-sh), and secret-rotation. Together they harden the chain, not just first-party code.

Related modules: dependencies, ciSecurity, dockerfile, secretRotation

Frequently asked questions

What is a software supply-chain attack?

An attack that compromises something you depend on rather than your own code — a dependency, a build tool, a CI Action, or a base image — so that every project trusting that component is compromised at once. SolarWinds and Codecov are well-known examples.

How do I reduce supply-chain risk?

Pin dependencies and CI Actions to immutable SHAs, generate an SBOM, scan for known-vulnerable packages, restrict CI permissions, and watch for typosquatted packages. GateTest's dependencies, ci-security, and dockerfile modules check these automatically.

See Software Supply Chain Security on your own repo

Free preview of findings. Pay per scan — no subscription. AI auto-fix PR on the Scan + Fix tier.

Related terms