Supply Chain & Environment

Supply ChainDependenciesDevOps SecurityInfrastructure Security

Supply Chain & Environment vulnerabilities at a glance

What it is: Vulnerabilities in third-party dependencies, build pipelines, container images, cloud configurations, and development environments that can compromise applications before they even run.
Why it happens: Supply chain and environment vulnerabilities stem from unverified or outdated dependencies, insecure build and deployment processes, and weak controls over development and cloud environments.
How to fix: Maintain and verify dependencies, secure build and deployment pipelines, harden cloud and container environments, and apply the principle of least privilege.

Overview

Supply chain vulnerabilities exist outside the application code itself, in the ecosystem of tools, libraries, infrastructure, and processes used to build and deploy software. These risks have grown dramatically with the complexity of modern software development.

A single compromised dependency can affect thousands of applications. Insecure CI/CD pipelines can be exploited to inject malicious code. Container images may contain outdated components with known vulnerabilities. Cloud misconfigurations can expose databases, storage, and secrets. Development environment compromises can lead to supply chain attacks.

sequenceDiagram participant Attacker participant Registry as Package Registry participant CI as CI/CD Pipeline participant App as Application Attacker->>Registry: Publish malicious package update CI->>Registry: Fetch dependencies Registry-->>CI: Malicious package CI->>CI: Build application (includes malicious code) CI->>App: Deploy compromised application App->>Attacker: Exfiltrate data Note over CI: Missing: Dependency scanning<br/>Missing: Package verification<br/>Missing: Build integrity checks
A potential flow for a Supply Chain & Environment exploit

Where it occurs

These vulnerabilities often appear in dependency management, build pipelines, container images, and cloud or development environments where weak validation, outdated components, or insecure configurations expose the software supply chain.

Impact

Supply chain compromises can affect entire ecosystems of applications simultaneously, leading to widespread data breaches, malware distribution at scale, backdoor insertion affecting all users, credential and secret exposure, and more.

Prevention

Keep dependencies updated and verified, secure build and deployment pipelines, harden cloud and container environments, manage secrets safely, and maintain visibility with scanning, monitoring, and SBOMs for supply chain integrity.

Specific Vulnerabilities

Explore specific vulnerability types within this category:

Build Pipeline Compromise

Security vulnerabilities in CI/CD pipelines that allow attackers to inject malicious code during the build process, compromise build artifacts, or steal secrets from the build environment.

CI/CD Security Pipeline Attack Build System Compromise
2 code examples
Learn more →

Cloud Misconfiguration & Secret Exposure

Security misconfigurations in cloud infrastructure including publicly accessible storage buckets, overly permissive IAM policies, exposed secrets, and insecure network configurations.

Cloud Security AWS Misconfiguration Azure Security +2 more
2 code examples
Learn more →

Container & Image Vulnerabilities

Security vulnerabilities in container images and runtime configurations including outdated base images, embedded secrets, excessive privileges, and vulnerable dependencies.

Docker Container Security Image Vulnerabilities +1 more
2 code examples
Learn more →

Dependency & Supply Chain Risks

Risks introduced by third party packages, build artifacts, container images, and the tooling that fetches them.

Software Supply Chain Malicious Packages Vulnerable Dependencies
5 code examples
Learn more →

Insecure Defaults

Security weaknesses caused by shipping or deploying with default settings that are not safe for production.

Unsafe Defaults Default Misconfigurations
6 code examples
Learn more →

Detect These Vulnerabilities in Your Code

Sourcery automatically identifies supply chain & environment and related vulnerabilities in your codebase.

Scan Your Code for Free