Supply Chain Security Framework
Definition
A Supply Chain Security Framework is a structured approach to securing the entire lifecycle of software development, from code creation to deployment and maintenance. It encompasses practices and tools designed to protect against vulnerabilities and threats that can arise from third-party components, dependencies, and external services. The framework aims to ensure the integrity, authenticity, and security of software by implementing controls such as code signing, dependency management, and continuous monitoring.
Secure Settings Example
# Example of a secure CI/CD pipeline configuration in a YAML file
stages:
- build
- test
- deploy
build:
script:
- npm ci
- npm audit --production
- npm run build
artifacts:
paths:
- dist/
only:
- main
deploy:
script:
- kubectl apply -f k8s/deployment.yaml
environment:
name: production
only:
- main
Insecure Settings Example
# Example of an insecure CI/CD pipeline configuration in a YAML file
stages:
- build
- test
- deploy
build:
script:
- npm install
- npm run build
artifacts:
paths:
- dist/
only:
- main
deploy:
script:
- kubectl apply -f k8s/deployment.yaml
environment:
name: production
only:
- main