Supply Chain Security
OWASP A03:2025 - Software Supply Chain Failures
When NOT to Use This Skill
- License compliance - Use
license-complianceskill for SPDX and license auditing - Secrets in dependencies - Use
secrets-managementfor credential issues - Application-level vulnerabilities - Use
owasp-top-10for code security - Git/GitHub operations - Use Git skills for repository management
Deep Knowledge: Use
mcp__documentation__fetch_docswith technology:securityfor comprehensive documentation.
Key Risks
| Risk | Impact | Mitigation | |------|--------|------------| | Vulnerable dependencies | RCE, data breach | Regular audits, auto-updates | | Typosquatting | Malicious code execution | Verify package names | | Compromised packages | Backdoors, malware | Lockfiles, integrity checks | | CI/CD pipeline attacks | Code injection, secrets theft | Least privilege, signed commits |
Dependency Auditing
Node.js
# Built-in audit
npm audit
npm audit fix
npm audit --json > audit.json
# Advanced scanning
npx snyk test
npx retire
# Auto-fix PRs
# Use Dependabot or Renovate
Python
# pip-audit
pip-audit
pip-audit --output=json
# Safety
safety check
safety check -r requirements.txt
# pip install with hash verification
pip install --require-hashes -r requirements.txt
Java
# OWASP Dependency Check
mvn dependency-check:check
./gradlew dependencyCheckAnalyze
# Snyk
snyk test --all-projects
Lockfiles
Always commit and use lockfiles:
| Package Manager | Lockfile | Install Command |
|----------------|----------|-----------------|
| npm | package-lock.json | npm ci |
| yarn | yarn.lock | yarn install --frozen-lockfile |
| pnpm | pnpm-lock.yaml | pnpm install --frozen-lockfile |
| pip | requirements.txt (with hashes) | pip install --require-hashes |
| poetry | poetry.lock | poetry install --no-root |
# npm - use ci in CI/CD
npm ci # NOT npm install
# Verify integrity
npm audit signatures
SBOM Generation
Software Bill of Materials for transparency:
# CycloneDX format
npx @cyclonedx/cyclonedx-npm --output-file sbom.json
# SPDX format
npx spdx-sbom-generator
# Syft (multi-language)
syft . -o cyclonedx-json > sbom.json
Package Integrity
Subresource Integrity (SRI)
<script src="https://cdn.example.com/lib.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/..."
crossorigin="anonymous">
</script>
npm package verification
# Verify signatures
npm audit signatures
# Disable postinstall scripts
npm config set ignore-scripts true
# Or per-install
npm install --ignore-scripts
CI/CD Security
GitHub Actions
# Pin actions to SHA
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
# Minimal permissions
permissions:
contents: read
packages: write
# Signed commits requirement
# Enable in repo settings: "Require signed commits"
Secrets in CI/CD
# Never echo secrets
- run: |
# Wrong
echo ${{ secrets.API_KEY }}
# Right - use as env var
env:
API_KEY: ${{ secrets.API_KEY }}
run: ./deploy.sh
Dependabot Configuration
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
groups:
dev-dependencies:
dependency-type: "development"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]
Security Checklist
- [ ] All dependencies audited regularly
- [ ] Lockfiles committed and enforced
- [ ] CI/CD uses
npm ci/ frozen lockfile - [ ] Dependabot/Renovate enabled
- [ ] SBOM generated for releases
- [ ] Package signatures verified
- [ ] Post-install scripts disabled in CI
- [ ] GitHub Actions pinned to SHA
- [ ] Minimal CI/CD permissions
Anti-Patterns
| Anti-Pattern | Why It's Bad | Correct Approach |
|--------------|--------------|------------------|
| Using npm install in CI | Non-deterministic builds | Use npm ci with lockfiles |
| Not committing lockfiles | Inconsistent dependencies | Always commit package-lock.json |
| Ignoring audit warnings | Known vulnerabilities in prod | Fix or accept risk explicitly |
| Using wildcards in versions (^, ~) | Unexpected breaking changes | Pin exact versions for critical deps |
| Running postinstall scripts blindly | Malicious code execution | Use --ignore-scripts or audit first |
| No Dependabot/Renovate | Manual dependency updates | Enable automated PR creation |
Quick Troubleshooting
| Issue | Likely Cause | Solution |
|-------|--------------|----------|
| npm audit shows 100+ vulnerabilities | Transitive dependencies | Run npm audit fix, check for breaking changes |
| Lockfile conflicts in PR | Different npm versions | Use same npm version across team (in .nvmrc) |
| CI build fails after dependency update | Breaking change in minor version | Pin exact versions, test before merging |
| Package not found during install | Typosquatting or removed package | Verify package name on npmjs.com |
| SBOM generation fails | Missing dependencies | Run npm ci before generating SBOM |
| Dependabot PRs failing | Incompatible version | Review changelog, may need code changes |
微信扫一扫