GUIDE · 7 min read
Software Supply Chain Attacks: A Defender's Guide
The last two years made one thing clear: your dependencies are your attack surface. Here's the defender's playbook for npm, PyPI, Go modules and containers.
Know what you ship
Generate an SBOM on every build (CycloneDX or SPDX). You can't defend what you can't inventory.
Pin and verify
Lockfiles + integrity hashes + signature verification (Sigstore/cosign). Reject anything unsigned or unpinned in CI.
- npm ci with --ignore-scripts where possible
- pip install with --require-hashes
- cosign verify on every container pull
Watch the maintainers
Subscribe to advisories. Pin major versions of critical packages. Auto-quarantine new releases for 48h before promoting to prod.
Build trusted
SLSA Level 3+ pipelines: hermetic builds, provenance attestations, two-person review for production releases.
Tools mentioned
SyftGrypecosignSigstoreDependabotSocket.dev
⟩ takeaway
Supply chain security is dependency hygiene plus build integrity. Both, not either.
⟩ keep reading
Related articles
Hardening Your Cloud in 5 Steps
A practical checklist to lock down AWS, Azure and GCP workloads before attackers find the gaps.
Prompt Injection: The OWASP LLM #1 Risk
How indirect prompt injection turns helpful AI into an attacker tool — and how to defend against it.
Inside a Real SOC: A Day in the Life
From the first SIEM alert to incident closure — what L1/L2/L3 actually looks like in practice.