Supply Chain Security

To successfully secure your software supply chain, you need to understand the connection between your current infrastructure and application security. The supply chain capability on Code Security is a code-centric view of your infrastructure and application security that visualizes a supply chain graph, starting with the IaC templates, through the services, through deployed cloud workload resources including associated permissions, and the runtime configuration on these resources. For example, a compromise in your infrastructure may exist if you have an upstream vulnerability in one of the resources that can affect your application. Knowing about this is critical to patch your code and mitigate exposure.
The supply chain graph is a real-time auto-discovery of potentially misconfigured infrastructure and application files, sorted into a neat data model that you can use to prioritize and search. The supply chain graph applies a new data model to the existing scanner findings. The scanners show data points as passed or failed policies and include a known vulnerability. The graph connects these data points of actual utilization of the resources in a running application and shows how different attributes and infrastructure are connected and interdependent.
You can view all the files within the repository sorted based on the number of misconfigurations and vulnerabilities on the supply chain graph. The graph identifies infrastructure, image, open-source, and secrets and combines that data to identify risk chains.

Supply Chain Graph

Familiarize yourself with supply chain graph, a data model to visualize supply chains.
  • GitHub Organization.
    This is the integrated organization account.
  • Integrated Repository.
    This is your integrated repository.
  • Repository Files.
    The different files that are hosted on your repository are sorted by the number of misconfigurations and vulnerabilities.
  • Resources.
    The resource files connected to your files. The resources identify use of infrastructure, image, open source and secrets and start to combine that data together to identify chains of risk. This is a real-time attestation of your supply chain.
  • Resource Explorer.
    The metadata on how the resource is configured and history of previous misconfigurations.
  • Runtime Resource.
    View the runtime resource that is triggered and the runtime configuration along with Resource history and audit trail.

View the Supply Chain for your Repository

You can view a supply chain graph for any integrated repository.
  1. Select
    Code Security > Supply Chain.
  2. Select a repository to view the corresponding supply chain graph.

Recommended For You