Supply Chain Goat follows the tradition of existing *Goat projects (e.g. OWASP Web Goat). It provides a training ground to practice implementing countermeasures specific to the software supply chain. StepSecurity defines a supply chain attack as an attack that tries to hijack software that you produce or consume.
Follow these tutorials to learn about threats and countermeasures related to the software supply chain. If you would like to see a different threat being addressed, or have other feedback, please create an issue.
This table lists threats and countermeasures related to software supply chain security. More will be added over time.
| Number | Threats | Countermeasures | Related incidents |
|---|---|---|---|
| 1 | DNS exfiltration for reconnaissance from build server | Tutorial: Prevent DNS Exfiltration from build server | Dependency confusion |
| 2 | Exfiltration of secrets from the build server | Tutorial: Restrict outbound traffic from build server | Codecov breach, event-stream incident, VS Code GitHub Bug Bounty Exploit |
| 3 | Exfiltration of GITHUB_TOKEN from the build server |
Tutorial: Set minimum permissions for GITHUB_TOKEN |
VS Code GitHub Bug Bounty Exploit |
| 4 | Masquerading of tools on build server | Tutorial: Cryptographically verify tools run as part of the CI/ CD pipeline (coming soon) | Solar Winds (SUNSPOT) breach, Codecov breach |
| 5 | Modification of source code on build server | Tutorial: Monitor source code on build server | Solar Winds (SUNSPOT) breach |
| 6 | No forensics data about build & release steps | Tutorial: Generate provenance (coming soon) | Solar Winds (SUNSPOT) breach, Codecov breach, event-stream incident |
| 7 | Compromised dependency | Tutorial: Use trustworthy dependencies (coming soon) | event-stream incident, Embedded malware in ua-parser-js |
| 8 | Typosquatting | Tutorial: Use trustworthy dependencies (coming soon) | Malicious python libraries, Typosquatted libraries in Ruby Gems repo |
| 9 | Compromised dependency | Tutorial: Quickly find libraries that are using compromised dependency (coming soon) | event-stream incident, Embedded malware in ua-parser-js |