Supply chain útoky rostou exponenciálně. Kompromitovaná závislost, build pipeline nebo registry = backdoor ve vašem software.
Ochranné vrstvy¶
- Signed commits (GPG, SSH signing)
- Lockfile + integrity checks
- Dependency pinning (exact versions)
- Private registry / proxy
- Signed artifacts (Cosign, Sigstore)
- SLSA framework compliance
Signed commits¶
git config –global commit.gpgsign true git config –global gpg.format ssh git config –global user.signingkey ~/.ssh/id_ed25519.pub
SLSA Framework¶
- Level 1: Build scripted, provenance generated
- Level 2: Hosted build, signed provenance
- Level 3: Hardened build platform
- Level 4: Two-party review, hermetic builds
Klíčový takeaway¶
Podepisujte commity a artefakty. Pinujte závislosti. SLSA framework jako roadmap pro supply chain security.
securitysupply chainslsaci/cd