DevOps Dictionary

Software Supply Chain Security is the practice of protecting the end-to-end process of building, packaging, and delivering software, including source code, third-party dependencies, build systems, container images, and CI/CD pipelines. It addresses the risk of indirect compromise, where attackers tamper with a dependency, inject code during the build, or replace a trusted artifact before it reaches production. At a high level, it works by tightening access controls, continuously verifying integrity (ensuring artifacts match what was built), and producing provenance (a verifiable record of what inputs and steps created a release) so changes are traceable and auditable.

With Software Supply Chain Security, teams can ship releases that are reproducible, verifiable, and easier to investigate; without it, a single compromised library or build step can quietly propagate malware to production and downstream customers. This gap exists because modern delivery relies on many external components and automated tooling, expanding the number of places an attacker can hide.