CODE.md
September 2, 2023 ยท View on GitHub
The Software Supply Chain Stages
| People | Local Reqs | Source Code | Integration | Deployment | Runtime | Hardware | DNS | Services | Cloud |
|---|---|---|---|---|---|---|---|---|---|
| Developers | IDE | Languages | SCM providers | Build solutions | Servers | Embedded PC | URL | SaaS solutions | CDN |
| QA team | SCV | Frameworks | Pull requests | Deployment platforms | Operating systems | PCB | hostname | Third party APIs | Cloud services |
| DevOps team | Local tests | Libraries | Secrets mgmt | Releases | Webservers | USB dongle | Payment gateways | ||
| Package Maintainers | Git repos | Package Managers | Git repos | Functional tests | Application servers | GPU/CPU | Identity Providers | ||
| Page Builders | Packages | Security tests | Web engines | Analytics | |||||
| Open source | API test frameworks | Databases | Proxies | ||||||
| Proprietary Code | Unit tests | ||||||||
| People | Local Reqs | Source Code | Integration | Deployment | Runtime | Hardware | DNS | Services | Cloud |
Source Code
This includes any software that is needed to successfully write, build or deploy an application.
What's in scope?
- Programming languages
- Frameworks
- Libraries
- Package managers
- Open source components
- Proprietary code
Examples
Programming Languages
Frameworks & libraries
Package managers

Who owns it?
- Development teams
- DevOps team
What are the security concerns?
- Knowing what's in your software is the first key
- Source code components are coming from many different sources and used in applications
- Dependency origin for the source code we use is critically important
- Package managers are a primary target for attackers
How do I secure it?
- Use secure package repositories
- Analysis source code composition
- Software bill of materials