zhongwei/gh-project-codeguard-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-project-codeguard-rules/skills/software-security/rules/codeguard-0-supply-chain-security.md
Zhongwei Li 0f14e8d5a1 Initial commit
2025-11-30 08:48:30 +08:00

2.5 KiB
Raw Permalink Blame History

description, languages, alwaysApply
description languages alwaysApply
Dependency & supply chain security (pinning, SBOM, provenance, integrity, private registries)
docker
javascript
yaml
false

rule_id: codeguard-0-supply-chain-security

Dependency & Supply Chain Security

Control thirdparty risk across ecosystems, from selection and pinning to provenance, scanning, and rapid response.

Policy and Governance

  • Maintain allowlisted registries and scopes; disallow direct installs from untrusted sources.
  • Require lockfiles and version pinning; prefer digest pinning for images and vendored assets.
  • Generate SBOMs for apps/images; store with artifacts; attest provenance (SLSA, Sigstore).

Package Hygiene (npm focus applicable to others)

  • Regularly audit (npm audit, ecosystem SCA) and patch; enforce SLAs by severity.
  • Use deterministic builds: npm ci (not npm install) in CI/CD; maintain lockfile consistency.
  • Avoid install scripts that execute on install when possible; review for risk.
  • Use .npmrc to scope private registries; avoid wildcard registries; enable integrity verification.
  • Enable account 2FA for publishing

Development Practices

  • Minimize dependency footprint; remove unused packages; prefer stdlib/firstparty for trivial tasks.
  • Protect against typosquatting and protestware: pin maintainers, monitor releases, and use provenance checks.
  • Hermetic builds: no network in compile/packaging stages unless required; cache with authenticity checks.

CI/CD Integration

  • SCA, SAST, IaC scans in gates; fail on criticals; require approvals for overrides with compensating controls.
  • Sign artifacts; verify signatures at deploy; enforce policy in admission.

Vulnerability Management

  • For patched vulnerabilities: test and deploy updates; document any API breaking changes.
  • For unpatched vulnerabilities: implement compensating controls (input validation, wrappers) based on CVE type; prefer direct dependency fixes over transitive workarounds.
  • Document risk decisions; escalate acceptance to appropriate authority with business justification.

Incident Response

  • Maintain rapid rollback; isolate compromised packages; throttle rollouts; notify stakeholders.
  • Monitor threat intel feeds (e.g., npm advisories); autoopen tickets for critical CVEs.

Implementation Checklist

  • Lockfiles present; integrity checks on; private registries configured.
  • SBOM + provenance stored; signatures verified predeploy.
  • Automated dependency updates with tests and review gates.
  • Highsev vulns remediated within SLA or mitigated and documented.
Reference in New Issue View Git Blame Copy Permalink