tldr - powered by Generative AI

• Recent compromises of Codecov and Solar Winds have put a spotlight on software supply chain attacks.
• Lessons that Shopify has learned in protecting millions of businesses and demonstrate these techniques using open source software.
• Traditional defensive techniques can be applied in the cloud.
• Voucher and grafeas implementations can give you control over the software that runs in your clusters.
• The SLSA framework can guide you toward establishing trust in your software.
• Falco can be used to detect malicious behaviour or indicators that your supply chain has been compromised.
• Specific techniques for mitigating supply chain attacks include scanning or reviewing the code, using static analysis, and looking at the reputation and response to previous incidents of the maintainers.
• We can expect more from our suppliers by asking for receipts, an S-bomb, and what your software is made of.