Supply Chain Goat
Introduction
Supply Chain Goat follows the tradition of existing *Goat projects. It provides a training ground to practice implementing countermeasures specific to the software supply chain.
StepSecurity defines a supply chain attack as an attack that tries to hijack software that you produce or consume.
Follow these hands-on tutorials (each only takes 2-5 minutes) to learn about threats and countermeasures related to the software supply chain. If you would like to see a different threat being addressed, or have other feedback, please create an issue or participate in discussions.
Weekly instructor-led session
While you can follow the hands-on tutorials on your own, if you want, you can also attend the free weekly instructor-led session. Each session is limited to 10 attendees. You can register here.
Prerequisites
StepSecurity recommends the following prerequisites to be met to get the best out of these tutorials.
- GitHub account
- Basic knowledge of CI/CD pipelines and GitHub Actions
Threats and Countermeasures
This table lists threats and countermeasures related to software supply chain security. More will be added over time.
| Number | Threats | Countermeasures | Related incidents |
|---|---|---|---|
| 1 | DNS exfiltration for reconnaissance from build server | Hands-on Tutorial: Prevent DNS Exfiltration from build server |
Dependency confusion |
| 2 | Exfiltration of secrets from the build server | Hands-on Tutorial: Restrict outbound traffic from build server |
Codecov breach, event-stream incident, VS Code GitHub Bug Bounty Exploit |
| 3 | Exfiltration of GITHUB_TOKEN from the build server |
Hands-on Tutorial: Set minimum permissions for GITHUB_TOKEN |
VS Code GitHub Bug Bounty Exploit |
| 4 | Masquerading of tools on build server | Hands-on Tutorial: Cryptographically verify tools run as part of the CI/ CD pipeline |
Solar Winds (SUNSPOT) breach, Codecov breach |
| 5 | Modification of source code on build server | Hands-on Tutorial: Monitor source code on build server |
Solar Winds (SUNSPOT) breach |
| 6 | No forensics data about build & release steps | Tutorial: Generate provenance (coming soon) | Solar Winds (SUNSPOT) breach, Codecov breach, event-stream incident |
| 7 | Compromised dependency | Tutorial: Use trustworthy dependencies (coming soon) | event-stream incident, Embedded malware in ua-parser-js |
| 8 | Typosquatting | Tutorial: Use trustworthy dependencies (coming soon) | Malicious python libraries, Typosquatted libraries in Ruby Gems repo |
| 9 | Compromised dependency | Tutorial: Quickly find libraries that are using compromised dependency (coming soon) | event-stream incident, Embedded malware in ua-parser-js |