bluemsi/2nd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[G1-Sync] Manual knowledge update

Browse Source
This commit is contained in:
Antigravity Agent
2026-05-10 22:08:15 +09:00
parent 21ac3ed255
commit 504fd5fb42
3011 changed files with 380280 additions and 206977 deletions
Download Patch File Download Diff File Expand all files Collapse all files
10_Wiki/Topics/Coding/Security_SBOM_Supply_Chain.md
+356
View File
@@ -0,0 +1,356 @@
---
id: security-sbom-supply-chain
title: SBOM / Supply Chain Security — provenance / sigstore
category: Coding
status: draft
source_trust_level: B
verification_status: conceptual
created_at: 2026-05-09
updated_at: 2026-05-09
tags: [security, supply-chain, vibe-coding]
tech_stack: { language: "YAML", applicable_to: ["Security", "DevOps"] }
applied_in: []
aliases: [SBOM, software bill of materials, supply chain, sigstore, provenance, SLSA, npm audit signatures]
---
# SBOM / Supply Chain Security
> "내 software 의 component 가 무엇 / 누가 build?". **SBOM (component list), provenance (build origin), sigstore (signing)**. Modern requirement.
## 📖 핵심 개념
- SBOM: 매 component 의 inventory.
- Provenance: build 의 source.
- Signing: identity + integrity.
- Vulnerability tracking.
## 💻 코드 패턴
### SBOM (Software Bill of Materials)
```bash
# Syft (Anchore)
syft my-image:latest -o cyclonedx-json > sbom.json
# 또는 npm
npm sbom
# 또는 docker
docker sbom my-image
```
### CycloneDX format
```json
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"components": [
{ "name": "react", "version": "19.0.0", "purl": "pkg:npm/react@19.0.0" },
{ "name": "express", "version": "4.18.2", "purl": "pkg:npm/express@4.18.2" }
]
}
```
### SPDX (alternative)
```
NIST recommended.
- License focus.
- Government 친화.
```
### Vulnerability scan
```bash
grype sbom:./sbom.json
# → CVE list.
trivy sbom ./sbom.json
```
### SLSA (Supply chain Levels for Software Artifacts)
```
Level 1: Documentation only.
Level 2: Hosted build.
Level 3: Hardened build.
Level 4: 2-party reviewed.
→ Build 의 trustworthiness.
```
### npm provenance (npm 9+)
```json
// package.json
{
"publishConfig": {
"provenance": true
}
}
```
```bash
# CI publish
npm publish --provenance
```
→ Build 가 GitHub Actions 의 어느 commit + workflow.
### npm audit signatures
```bash
npm audit signatures
# → 모든 dep 의 signature 검증.
```
### Sigstore (signing)
```bash
cosign sign --key cosign.key my-image:latest
cosign verify my-image:latest --certificate-identity ...
```
→ Cert + log = "이 image 가 누가 build".
### Cosign + GitHub OIDC
```yaml
# .github/workflows/release.yml
- uses: sigstore/cosign-installer@v3
- run: cosign sign --yes ${{ github.repository }}@${{ steps.push.outputs.digest }}
env:
COSIGN_EXPERIMENTAL: 1
```
→ Keyless. OIDC 가 identity.
### Verify (deploy time)
```yaml
# Kyverno / Cosign policy
apiVersion: kyverno.io/v1
kind: ClusterPolicy
spec:
rules:
- name: verify-images
verifyImages:
- imageReferences: ['*']
attestors:
- entries:
- keyless:
subject: 'https://github.com/me/.*'
```
→ K8s 의 image 가 my org 가 sign 만 deploy.
### Dependency tree depth
```bash
npm ls --depth=99 --all
# → 모든 transitive.
# 또는 SBOM 만 보면 됨.
```
→ "이 dep 가 어디 from?".
### Vulnerability disclosure (CVE)
```
CVE = Common Vulnerabilities and Exposures.
- 매 vulnerability 의 ID.
- CVSS (severity score).
- NVD database.
```
### Auto patch
```
- Dependabot / Renovate (auto PR).
- Snyk (managed).
- Socket (malicious detect).
→ Vulnerability 의 자동 fix.
```
→ [[DevOps_Renovate_Dependabot]].
### License compliance
```bash
license-checker --production --onlyAllow="MIT;Apache-2.0;BSD"
```
→ GPL / AGPL 가 commercial = 제외.
### Image scanning
```bash
trivy image my-image:latest
# Output:
# Total: 23 (CRITICAL: 2, HIGH: 5)
```
```yaml
# CI
- run: trivy image --severity CRITICAL,HIGH --exit-code 1 my-image
```
→ CI gate.
### Software supply chain attack
```
Famous:
- 2020 SolarWinds: build server compromise.
- 2021 ua-parser-js: maintainer hijack.
- 2024 xz-utils: long-running social engineering.
- 2024 Polyfill.io: domain takeover.
→ 매 link 가 weak.
```
### Defense
```
1. SBOM 가 visibility.
2. Signature + provenance 가 trust.
3. Vulnerability scan 가 detect.
4. Lock file 가 reproducibility.
5. Minimal base image.
6. Audit signatures (npm).
7. Auto-update.
8. Internal mirror (npm Enterprise).
```
### Internal package mirror
```
- npm Enterprise.
- Verdaccio (open source).
- JFrog Artifactory.
- AWS CodeArtifact.
- GCP Artifact Registry.
→ 외부 npm 가 down 또는 attack 가도 OK.
```
### Reproducible build
```
- Lock file (package-lock.json).
- Pinned base image (sha256:...).
- Git commit SHA in build artifact.
- Same input → same output.
```
### Container best practice
```dockerfile
# ❌ Latest tag (drift).
FROM node:latest
# ✅ Specific
FROM node:20.10.0-alpine@sha256:...
```
### Distroless (작은 attack surface)
```dockerfile
FROM gcr.io/distroless/nodejs20-debian12
COPY ./app /app
CMD ['/app/server.js']
```
→ No shell, no apt-get. Smallest.
### Vulnerability response
```
1. CVE 발생.
2. Auto PR (Renovate).
3. Test pass = auto-merge.
4. Deploy.
5. Verify (no exploit).
→ "Mean time to patch" metric.
```
### EU CRA (Cyber Resilience Act)
```
2027 의 mandatory:
- SBOM 가 product 가 require.
- Vulnerability disclosure.
- Security update lifecycle.
→ 모든 EU-sold software.
```
### US Executive Order 14028
```
Federal procurement 의 SBOM 요구.
```
### Open source의 sustainability
```
대부분 OSS 가 unpaid.
- Maintainer burnout.
- Critical infra (xz, OpenSSL) 의 작은 team.
- Sponsorship (GitHub Sponsors, Open Collective).
→ Supply chain 의 root issue.
```
### Tools
```
SBOM: Syft, npm sbom, docker sbom.
Vulnerability: Grype, Trivy, Snyk.
Signing: Cosign (Sigstore).
Provenance: SLSA, npm provenance.
Compliance: FOSSA, BlackDuck.
Detect malicious: Socket, Phylum.
```
### Best practice
```
1. SBOM 매 release.
2. Sign all artifact (cosign).
3. Scan in CI (trivy).
4. Auto-patch (Renovate).
5. Lock file 매 commit.
6. Reproducible build.
7. Internal mirror.
8. Distroless image.
```
### CI integration
```yaml
- name: SBOM
uses: anchore/syft-action@v0
- name: Scan
uses: anchore/grype-action@v0
- name: Sign
uses: sigstore/cosign-installer@v3
with: { sign: true }
```
### 함정
```
- SBOM 만 + scan 없음: visibility 만.
- "Latest" tag: drift.
- No provenance: build 의 origin 모름.
- Manual CVE patch: slow.
- Lock file 없음: drift.
- Minimal base 가짜 (still big base).
```
## 🤔 의사결정 기준
| 작업 | 추천 |
|---|---|
| SBOM | Syft / npm sbom |
| Scan | Trivy / Grype |
| Signing | Cosign / Sigstore |
| Provenance | npm provenance / SLSA |
| Auto patch | Renovate / Dependabot |
| License | FOSSA / license-checker |
| Malicious | Socket / Phylum |
## ❌ 안티패턴
- **No SBOM**: visibility X.
- **Latest tag**: drift.
- **No signing**: 누구가 build?.
- **Manual patch**: slow.
- **Lock file 없음**: reproducibility X.
- **External mirror trust**: attack risk.
- **Maintainer 1**: bus factor.
## 🤖 LLM 활용 힌트
- SBOM = 매 component visibility.
- Sigstore + cosign = signing.
- SLSA = supply chain levels.
- 매 release = SBOM + sign + scan.
## 🔗 관련 문서
- [[DevSec_Supply_Chain]]
- [[DevOps_Renovate_Dependabot]]
- [[DevSec_Container_Scanning]]