Supply Chain Goat follows the tradition of existing *Goat projects. It provides a training ground to practice implementing countermeasures specific to the software supply chain.
StepSecurity defines a supply chain attack as an attack that tries to hijack software that you produce or consume.
Follow these hands-on tutorials
(each only takes 2-5 minutes) to learn about threats and countermeasures related to the software supply chain. If you would like to see a different threat being addressed, or have other feedback, please create an issue or participate in discussions.
While you can follow the hands-on tutorials on your own, if you want, you can also attend the free weekly instructor-led session. Each session is limited to 10 attendees. You can register here.
StepSecurity recommends the following prerequisites to be met to get the best out of these tutorials.
- GitHub account
- Basic knowledge of CI/CD pipelines and GitHub Actions
This table lists threats and countermeasures related to software supply chain security. More will be added over time.
Number | Threats | Countermeasures | Related incidents |
---|---|---|---|
1 | DNS exfiltration for reconnaissance from build server | Hands-on Tutorial : Prevent DNS Exfiltration from build server |
Dependency confusion |
2 | Exfiltration of secrets from the build server | Hands-on Tutorial : Restrict outbound traffic from build server |
Codecov breach, event-stream incident, VS Code GitHub Bug Bounty Exploit |
3 | Exfiltration of GITHUB_TOKEN from the build server |
Hands-on Tutorial : Set minimum permissions for GITHUB_TOKEN |
VS Code GitHub Bug Bounty Exploit |
4 | Masquerading of tools on build server | Hands-on Tutorial : Cryptographically verify tools run as part of the CI/ CD pipeline |
Solar Winds (SUNSPOT) breach, Codecov breach |
5 | Modification of source code on build server | Hands-on Tutorial : Monitor source code on build server |
Solar Winds (SUNSPOT) breach |
6 | No forensics data about build & release steps | Tutorial: Generate provenance (coming soon) | Solar Winds (SUNSPOT) breach, Codecov breach, event-stream incident |
7 | Compromised dependency | Hands-on Tutorial : Behavioral analysis of dependencies |
event-stream incident, Embedded malware in ua-parser-js |
8 | Typosquatting | Tutorial: Use trustworthy dependencies (coming soon) | Malicious python libraries, Typosquatted libraries in Ruby Gems repo |
9 | Compromised dependency | Tutorial: Quickly find libraries that are using compromised dependency (coming soon) | event-stream incident, Embedded malware in ua-parser-js |