All articles
GUIDE · 7 min read

Software Supply Chain Attacks: A Defender's Guide

The last two years made one thing clear: your dependencies are your attack surface. Here's the defender's playbook for npm, PyPI, Go modules and containers.

Know what you ship

Generate an SBOM on every build (CycloneDX or SPDX). You can't defend what you can't inventory.

Pin and verify

Lockfiles + integrity hashes + signature verification (Sigstore/cosign). Reject anything unsigned or unpinned in CI.

  • npm ci with --ignore-scripts where possible
  • pip install with --require-hashes
  • cosign verify on every container pull

Watch the maintainers

Subscribe to advisories. Pin major versions of critical packages. Auto-quarantine new releases for 48h before promoting to prod.

Build trusted

SLSA Level 3+ pipelines: hermetic builds, provenance attestations, two-person review for production releases.

Tools mentioned

SyftGrypecosignSigstoreDependabotSocket.dev
⟩ takeaway

Supply chain security is dependency hygiene plus build integrity. Both, not either.

⟩ keep reading

Related articles