---
id: security-sbom-supply-chain
title: SBOM / Supply Chain Security — provenance / sigstore
category: Coding
status: draft
source_trust_level: B
verification_status: conceptual
created_at: 2026-05-09
updated_at: 2026-05-09
tags: [security, supply-chain, vibe-coding]
tech_stack: { language: "YAML", applicable_to: ["Security", "DevOps"] }
applied_in: []
aliases: [SBOM, software bill of materials, supply chain, sigstore, provenance, SLSA, npm audit signatures]
---

# SBOM / Supply Chain Security

> "내 software 의 component 가 무엇 / 누가 build?". **SBOM (component list), provenance (build origin), sigstore (signing)**. Modern requirement.

## 📖 핵심 개념
- SBOM: 매 component 의 inventory.
- Provenance: build 의 source.
- Signing: identity + integrity.
- Vulnerability tracking.

## 💻 코드 패턴

### SBOM (Software Bill of Materials)
```bash
# Syft (Anchore)
syft my-image:latest -o cyclonedx-json > sbom.json

# 또는 npm
npm sbom

# 또는 docker
docker sbom my-image
```

### CycloneDX format
```json
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "components": [
    { "name": "react", "version": "19.0.0", "purl": "pkg:npm/react@19.0.0" },
    { "name": "express", "version": "4.18.2", "purl": "pkg:npm/express@4.18.2" }
  ]
}
```

### SPDX (alternative)
```
NIST recommended.
- License focus.
- Government 친화.
```

### Vulnerability scan
```bash
grype sbom:./sbom.json
# → CVE list.

trivy sbom ./sbom.json
```

### SLSA (Supply chain Levels for Software Artifacts)
```
Level 1: Documentation only.
Level 2: Hosted build.
Level 3: Hardened build.
Level 4: 2-party reviewed.

→ Build 의 trustworthiness.
```

### npm provenance (npm 9+)
```json
// package.json
{
  "publishConfig": {
    "provenance": true
  }
}
```

```bash
# CI publish
npm publish --provenance
```

→ Build 가 GitHub Actions 의 어느 commit + workflow.

### npm audit signatures
```bash
npm audit signatures
# → 모든 dep 의 signature 검증.
```

### Sigstore (signing)
```bash
cosign sign --key cosign.key my-image:latest
cosign verify my-image:latest --certificate-identity ...
```

→ Cert + log = "이 image 가 누가 build".

### Cosign + GitHub OIDC
```yaml
# .github/workflows/release.yml
- uses: sigstore/cosign-installer@v3
- run: cosign sign --yes ${{ github.repository }}@${{ steps.push.outputs.digest }}
  env:
    COSIGN_EXPERIMENTAL: 1
```

→ Keyless. OIDC 가 identity.

### Verify (deploy time)
```yaml
# Kyverno / Cosign policy
apiVersion: kyverno.io/v1
kind: ClusterPolicy
spec:
  rules:
    - name: verify-images
      verifyImages:
        - imageReferences: ['*']
          attestors:
            - entries:
                - keyless:
                    subject: 'https://github.com/me/.*'
```

→ K8s 의 image 가 my org 가 sign 만 deploy.

### Dependency tree depth
```bash
npm ls --depth=99 --all
# → 모든 transitive.

# 또는 SBOM 만 보면 됨.
```

→ "이 dep 가 어디 from?".

### Vulnerability disclosure (CVE)
```
CVE = Common Vulnerabilities and Exposures.
- 매 vulnerability 의 ID.
- CVSS (severity score).
- NVD database.
```

### Auto patch
```
- Dependabot / Renovate (auto PR).
- Snyk (managed).
- Socket (malicious detect).

→ Vulnerability 의 자동 fix.
```

→ [[DevOps_Renovate_Dependabot]].

### License compliance
```bash
license-checker --production --onlyAllow="MIT;Apache-2.0;BSD"
```

→ GPL / AGPL 가 commercial = 제외.

### Image scanning
```bash
trivy image my-image:latest

# Output:
# Total: 23 (CRITICAL: 2, HIGH: 5)
```

```yaml
# CI
- run: trivy image --severity CRITICAL,HIGH --exit-code 1 my-image
```

→ CI gate.

### Software supply chain attack
```
Famous:
- 2020 SolarWinds: build server compromise.
- 2021 ua-parser-js: maintainer hijack.
- 2024 xz-utils: long-running social engineering.
- 2024 Polyfill.io: domain takeover.

→ 매 link 가 weak.
```

### Defense
```
1. SBOM 가 visibility.
2. Signature + provenance 가 trust.
3. Vulnerability scan 가 detect.
4. Lock file 가 reproducibility.
5. Minimal base image.
6. Audit signatures (npm).
7. Auto-update.
8. Internal mirror (npm Enterprise).
```

### Internal package mirror
```
- npm Enterprise.
- Verdaccio (open source).
- JFrog Artifactory.
- AWS CodeArtifact.
- GCP Artifact Registry.

→ 외부 npm 가 down 또는 attack 가도 OK.
```

### Reproducible build
```
- Lock file (package-lock.json).
- Pinned base image (sha256:...).
- Git commit SHA in build artifact.
- Same input → same output.
```

### Container best practice
```dockerfile
# ❌ Latest tag (drift).
FROM node:latest

# ✅ Specific
FROM node:20.10.0-alpine@sha256:...
```

### Distroless (작은 attack surface)
```dockerfile
FROM gcr.io/distroless/nodejs20-debian12
COPY ./app /app
CMD ['/app/server.js']
```

→ No shell, no apt-get. Smallest.

### Vulnerability response
```
1. CVE 발생.
2. Auto PR (Renovate).
3. Test pass = auto-merge.
4. Deploy.
5. Verify (no exploit).

→ "Mean time to patch" metric.
```

### EU CRA (Cyber Resilience Act)
```
2027 의 mandatory:
- SBOM 가 product 가 require.
- Vulnerability disclosure.
- Security update lifecycle.

→ 모든 EU-sold software.
```

### US Executive Order 14028
```
Federal procurement 의 SBOM 요구.
```

### Open source의 sustainability
```
대부분 OSS 가 unpaid.
- Maintainer burnout.
- Critical infra (xz, OpenSSL) 의 작은 team.
- Sponsorship (GitHub Sponsors, Open Collective).

→ Supply chain 의 root issue.
```

### Tools
```
SBOM: Syft, npm sbom, docker sbom.
Vulnerability: Grype, Trivy, Snyk.
Signing: Cosign (Sigstore).
Provenance: SLSA, npm provenance.
Compliance: FOSSA, BlackDuck.
Detect malicious: Socket, Phylum.
```

### Best practice
```
1. SBOM 매 release.
2. Sign all artifact (cosign).
3. Scan in CI (trivy).
4. Auto-patch (Renovate).
5. Lock file 매 commit.
6. Reproducible build.
7. Internal mirror.
8. Distroless image.
```

### CI integration
```yaml
- name: SBOM
  uses: anchore/syft-action@v0
- name: Scan
  uses: anchore/grype-action@v0
- name: Sign
  uses: sigstore/cosign-installer@v3
  with: { sign: true }
```

### 함정
```
- SBOM 만 + scan 없음: visibility 만.
- "Latest" tag: drift.
- No provenance: build 의 origin 모름.
- Manual CVE patch: slow.
- Lock file 없음: drift.
- Minimal base 가짜 (still big base).
```

## 🤔 의사결정 기준
| 작업 | 추천 |
|---|---|
| SBOM | Syft / npm sbom |
| Scan | Trivy / Grype |
| Signing | Cosign / Sigstore |
| Provenance | npm provenance / SLSA |
| Auto patch | Renovate / Dependabot |
| License | FOSSA / license-checker |
| Malicious | Socket / Phylum |

## ❌ 안티패턴
- **No SBOM**: visibility X.
- **Latest tag**: drift.
- **No signing**: 누구가 build?.
- **Manual patch**: slow.
- **Lock file 없음**: reproducibility X.
- **External mirror trust**: attack risk.
- **Maintainer 1**: bus factor.

## 🤖 LLM 활용 힌트
- SBOM = 매 component visibility.
- Sigstore + cosign = signing.
- SLSA = supply chain levels.
- 매 release = SBOM + sign + scan.

## 🔗 관련 문서
- [[DevSec_Supply_Chain]]
- [[DevOps_Renovate_Dependabot]]
- [[DevSec_Container_Scanning]]