SupplyShield: Fortify Your Software Supply Chain

SupplyShield is an open-source application security orchestration framework designed to secure your software supply chain from vulnerabilities, malicious dependencies, and unapproved base images. It provides a comprehensive solution to automate the detection, prioritization, and resolution of security issues in your open-source dependencies and containerized applications.

Features

• Software Composition Analysis (SCA): Identify vulnerabilities in your open-source dependencies using grype and osv.
• Automated Detection of Untrusted Packages: Identify malicious open-source packages and prevent supply chain attacks.
• Automated SBOM Generation: Track dependencies using tools like cdxgen and syft.
• Layer-Based Image Scanning: Detect unauthorized base images and outdated layers in Docker containers.
• Ownership Resolution: Leverage graph-based mapping to assign vulnerabilities to the right microservices.
• Seamless Integration with CI/CD Pipelines: Automate security checks from development to deployment.

SupplyShield tech stack is Python, Flask, PostgreSQL and Docker and several libraries.

The following diagram illustrates the architecture of SupplyShield:

SupplyShield primarily leverages the following tools:

1. cdxgen – For generating codebase SBOM
2. osv – SCA database for cdxgen
3. syft – For generating docker container SBOM
4. grype – For generating docker container SCA
5. scancodeio – Pipeline for SupplyShield scans
6. semgrep – For performing SAST
7. Metabase – Provides a dashboard for visualisation.

SupplyShield runs in a multi-service mode to optimize for respective use cases:

1. daemon: Polls deployment events from SQS queue to trigger scans.
2. cron: Cron job to sync Atlassian Jira with SupplyShield dashboard
3. api: Provides the actionable dashboard and other relevant SupplyShield APIs

SupplyShield tech stack is Python, Flask, PostgreSQL, Docker and several libraries.

Install

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy