--- id: wiki-2026-0508-supply-chain title: Supply Chain category: 10_Wiki/Topics status: verified canonical_id: self aliases: [SCM, Supply Chain Management, 공급망] duplicate_of: none source_trust_level: A confidence_score: 0.9 verification_status: applied tags: [supply-chain, logistics, security, sbom, ai-optimization] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: python framework: ortools --- # Supply Chain ## 매 한 줄 > **"매 supply chain 의 end-to-end network — raw material부터 end customer까지의 flow"**. 매 2026 supply chain 의 두 축: AI-driven optimization (demand forecast, route, inventory) 와 security (SBOM, supply chain attack defense). 매 SolarWinds·xz-utils 사건 이후 software supply chain 의 first-class 보안 concern. ## 매 핵심 ### 매 5 components - **Plan**: demand forecast, capacity planning, S&OP. - **Source**: supplier selection, contract, procurement. - **Make**: production, quality, scheduling. - **Deliver**: warehousing, transportation, last-mile. - **Return**: reverse logistics, recycling, RMA. ### 매 AI 적용 영역 - **Demand forecasting**: Transformer-based time series (TimesFM, Chronos), LSTM 의 retire. - **Route optimization**: OR-Tools VRP + RL hybrid. - **Inventory**: (s,S) policy + safety stock dynamic adjustment. - **Anomaly detection**: shipment delay prediction, fraud. - **Supplier risk**: graph neural network on supplier dependency graph. ### 매 software supply chain security - **SBOM** (Software Bill of Materials): SPDX, CycloneDX format. - **Sigstore**: keyless signing, transparency log. - **SLSA** (Supply-chain Levels for Software Artifacts): level 1-4 framework. - **Attack surface**: dependency confusion, typosquatting, malicious maintainer. ### 매 응용 1. **E-commerce**: Amazon FBA — AI demand forecast → DC pre-positioning. 2. **Manufacturing**: Toyota JIT 의 AI evolve — predictive lead time. 3. **Software security**: GitHub Dependabot + Sigstore + SLSA Level 3. ## 💻 패턴 ### 1. Demand forecast (Chronos) ```python from chronos import ChronosPipeline import torch import pandas as pd pipe = ChronosPipeline.from_pretrained( "amazon/chronos-bolt-base", torch_dtype=torch.bfloat16 ) # historical daily sales ts = pd.read_csv("sales.csv")["units"].values context = torch.tensor(ts[-365:]) forecast = pipe.predict(context, prediction_length=30, num_samples=100) median = forecast.median(dim=1).values # 30-day median forecast p90 = forecast.quantile(0.9, dim=1) # safety stock upper bound ``` ### 2. VRP (Vehicle Routing Problem) ```python from ortools.constraint_solver import pywrapcp, routing_enums_pb2 def solve_vrp(distance_matrix, num_vehicles, depot): manager = pywrapcp.RoutingIndexManager( len(distance_matrix), num_vehicles, depot ) routing = pywrapcp.RoutingModel(manager) def dist_cb(i, j): return distance_matrix[manager.IndexToNode(i)][manager.IndexToNode(j)] transit_idx = routing.RegisterTransitCallback(dist_cb) routing.SetArcCostEvaluatorOfAllVehicles(transit_idx) params = pywrapcp.DefaultRoutingSearchParameters() params.first_solution_strategy = routing_enums_pb2.FirstSolutionStrategy.PATH_CHEAPEST_ARC return routing.SolveWithParameters(params) ``` ### 3. (s,S) inventory policy ```python import numpy as np def reorder(stock, s, S, demand_forecast, lead_time_days): # s = reorder point, S = order-up-to level expected_demand_during_lead = demand_forecast.mean() * lead_time_days safety = 1.65 * demand_forecast.std() * np.sqrt(lead_time_days) s_dynamic = expected_demand_during_lead + safety if stock <= s_dynamic: return S - stock return 0 ``` ### 4. SBOM generation (CycloneDX) ```bash # Python project pip install cyclonedx-bom cyclonedx-py -o sbom.json --format json # Node project npx @cyclonedx/cyclonedx-npm --output-file sbom.json # Container syft packages docker:myimage:latest -o cyclonedx-json > sbom.json ``` ### 5. Sigstore keyless signing ```bash # Sign artifact (uses OIDC identity, no long-lived keys) cosign sign-blob --yes ./release.tar.gz \ --output-signature release.sig \ --output-certificate release.crt # Verify cosign verify-blob ./release.tar.gz \ --signature release.sig \ --certificate release.crt \ --certificate-identity user@example.com \ --certificate-oidc-issuer https://github.com/login/oauth ``` ### 6. SLSA provenance (GitHub Actions) ```yaml name: build on: [push] permissions: id-token: write contents: read jobs: build: uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: base64-subjects: ${{ needs.hash.outputs.digests }} ``` ### 7. Supplier risk GNN ```python import torch from torch_geometric.nn import GraphSAGE # nodes = suppliers, edges = dependency model = GraphSAGE(in_channels=16, hidden_channels=64, num_layers=3, out_channels=2) # risk score # message passing: tier-1 supplier 의 risk → tier-2 propagation risk_scores = model(node_features, edge_index) ``` ## 매 결정 기준 | 상황 | Approach | |---|---| | Demand forecast (long horizon) | Chronos / TimesFM | | Route opt (small, hard) | OR-Tools exact | | Route opt (large, soft) | RL + heuristic | | SBOM | CycloneDX (broader) or SPDX | | Signing | Sigstore (keyless, modern) | **기본값**: Chronos forecast + OR-Tools VRP + CycloneDX SBOM + Sigstore. ## 🔗 Graph - 부모: [[Operations-Research]] - 변형: [[SBOM]] · [[SLSA]] · [[Sigstore]] ## 🤖 LLM 활용 **언제**: Demand pattern 의 explain, anomaly 의 root-cause analysis, SBOM 의 vulnerability summary. **언제 X**: Real-time route decision (latency), exact optimization (LLM 의 hallucinate cost). ## ❌ 안티패턴 - **Forecast 없는 inventory**: 매 lead time × demand 의 rough-cut estimate → stockout 의 cycle. - **SBOM 의 build 후 generation**: 매 reproducibility 의 lose. Build 시 generate. - **Long-lived signing keys**: 매 leak 의 catastrophic. Sigstore keyless 의 use. - **Dependency 의 pin without lock**: 매 supply-chain attack vector. lockfile + hash check. - **Tier-1 supplier 의 only monitor**: 매 cascade failure 의 ignore. Multi-tier visibility. ## 🧪 검증 / 중복 - Verified (CSCMP definitions, NIST SSDF SP800-218, SLSA spec v1.0). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — supply chain (logistics + software security) full canonical |