SupplyShield: Fortify Your Software Supply Chain
SupplyShield is an open-source application security orchestration framework designed to secure your software supply chain from vulnerabilities, malicious dependencies, and unapproved base images. It provides a comprehensive solution to automate the detection, prioritization, and resolution of security issues in your open-source dependencies and containerized applications.
Features
- Software Composition Analysis (SCA): Identify vulnerabilities in your open-source dependencies using grype and osv.
- Automated Detection of Untrusted Packages: Identify malicious open-source packages and prevent supply chain attacks.
- Automated SBOM Generation: Track dependencies using tools like cdxgen and syft.
- Layer-Based Image Scanning: Detect unauthorized base images and outdated layers in Docker containers.
- Ownership Resolution: Leverage graph-based mapping to assign vulnerabilities to the right microservices.
- Seamless Integration with CI/CD Pipelines: Automate security checks from development to deployment.
SupplyShield tech stack is Python, Flask, PostgreSQL and Docker and several libraries.
The following diagram illustrates the architecture of SupplyShield:
SupplyShield primarily leverages the following tools:
- cdxgen – For generating codebase SBOM
- osv – SCA database for cdxgen
- syft – For generating docker container SBOM
- grype – For generating docker container SCA
- scancodeio – Pipeline for SupplyShield scans
- semgrep – For performing SAST
- Metabase – Provides a dashboard for visualisation.
SupplyShield runs in a multi-service mode to optimize for respective use cases:
- daemon: Polls deployment events from SQS queue to trigger scans.
- cron: Cron job to sync Atlassian Jira with SupplyShield dashboard
- api: Provides the actionable dashboard and other relevant SupplyShield APIs
SupplyShield tech stack is Python, Flask, PostgreSQL, Docker and several libraries.
