Antigravity Agent
7.0 KiB
7.0 KiB
id, title, category, status, source_trust_level, verification_status, created_at, updated_at, tags, tech_stack, applied_in, aliases
| id | title | category | status | source_trust_level | verification_status | created_at | updated_at | tags | tech_stack | applied_in | aliases | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| security-sbom-supply-chain | SBOM / Supply Chain Security — provenance / sigstore | Coding | draft | B | conceptual | 2026-05-09 | 2026-05-09 |
|
|
|
SBOM / Supply Chain Security
"내 software 의 component 가 무엇 / 누가 build?". SBOM (component list), provenance (build origin), sigstore (signing). Modern requirement.
📖 핵심 개념
- SBOM: 매 component 의 inventory.
- Provenance: build 의 source.
- Signing: identity + integrity.
- Vulnerability tracking.
💻 코드 패턴
SBOM (Software Bill of Materials)
# Syft (Anchore)
syft my-image:latest -o cyclonedx-json > sbom.json
# 또는 npm
npm sbom
# 또는 docker
docker sbom my-image
CycloneDX format
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"components": [
{ "name": "react", "version": "19.0.0", "purl": "pkg:npm/react@19.0.0" },
{ "name": "express", "version": "4.18.2", "purl": "pkg:npm/express@4.18.2" }
]
}
SPDX (alternative)
NIST recommended.
- License focus.
- Government 친화.
Vulnerability scan
grype sbom:./sbom.json
# → CVE list.
trivy sbom ./sbom.json
SLSA (Supply chain Levels for Software Artifacts)
Level 1: Documentation only.
Level 2: Hosted build.
Level 3: Hardened build.
Level 4: 2-party reviewed.
→ Build 의 trustworthiness.
npm provenance (npm 9+)
// package.json
{
"publishConfig": {
"provenance": true
}
}
# CI publish
npm publish --provenance
→ Build 가 GitHub Actions 의 어느 commit + workflow.
npm audit signatures
npm audit signatures
# → 모든 dep 의 signature 검증.
Sigstore (signing)
cosign sign --key cosign.key my-image:latest
cosign verify my-image:latest --certificate-identity ...
→ Cert + log = "이 image 가 누가 build".
Cosign + GitHub OIDC
# .github/workflows/release.yml
- uses: sigstore/cosign-installer@v3
- run: cosign sign --yes ${{ github.repository }}@${{ steps.push.outputs.digest }}
env:
COSIGN_EXPERIMENTAL: 1
→ Keyless. OIDC 가 identity.
Verify (deploy time)
# Kyverno / Cosign policy
apiVersion: kyverno.io/v1
kind: ClusterPolicy
spec:
rules:
- name: verify-images
verifyImages:
- imageReferences: ['*']
attestors:
- entries:
- keyless:
subject: 'https://github.com/me/.*'
→ K8s 의 image 가 my org 가 sign 만 deploy.
Dependency tree depth
npm ls --depth=99 --all
# → 모든 transitive.
# 또는 SBOM 만 보면 됨.
→ "이 dep 가 어디 from?".
Vulnerability disclosure (CVE)
CVE = Common Vulnerabilities and Exposures.
- 매 vulnerability 의 ID.
- CVSS (severity score).
- NVD database.
Auto patch
- Dependabot / Renovate (auto PR).
- Snyk (managed).
- Socket (malicious detect).
→ Vulnerability 의 자동 fix.
License compliance
license-checker --production --onlyAllow="MIT;Apache-2.0;BSD"
→ GPL / AGPL 가 commercial = 제외.
Image scanning
trivy image my-image:latest
# Output:
# Total: 23 (CRITICAL: 2, HIGH: 5)
# CI
- run: trivy image --severity CRITICAL,HIGH --exit-code 1 my-image
→ CI gate.
Software supply chain attack
Famous:
- 2020 SolarWinds: build server compromise.
- 2021 ua-parser-js: maintainer hijack.
- 2024 xz-utils: long-running social engineering.
- 2024 Polyfill.io: domain takeover.
→ 매 link 가 weak.
Defense
1. SBOM 가 visibility.
2. Signature + provenance 가 trust.
3. Vulnerability scan 가 detect.
4. Lock file 가 reproducibility.
5. Minimal base image.
6. Audit signatures (npm).
7. Auto-update.
8. Internal mirror (npm Enterprise).
Internal package mirror
- npm Enterprise.
- Verdaccio (open source).
- JFrog Artifactory.
- AWS CodeArtifact.
- GCP Artifact Registry.
→ 외부 npm 가 down 또는 attack 가도 OK.
Reproducible build
- Lock file (package-lock.json).
- Pinned base image (sha256:...).
- Git commit SHA in build artifact.
- Same input → same output.
Container best practice
# ❌ Latest tag (drift).
FROM node:latest
# ✅ Specific
FROM node:20.10.0-alpine@sha256:...
Distroless (작은 attack surface)
FROM gcr.io/distroless/nodejs20-debian12
COPY ./app /app
CMD ['/app/server.js']
→ No shell, no apt-get. Smallest.
Vulnerability response
1. CVE 발생.
2. Auto PR (Renovate).
3. Test pass = auto-merge.
4. Deploy.
5. Verify (no exploit).
→ "Mean time to patch" metric.
EU CRA (Cyber Resilience Act)
2027 의 mandatory:
- SBOM 가 product 가 require.
- Vulnerability disclosure.
- Security update lifecycle.
→ 모든 EU-sold software.
US Executive Order 14028
Federal procurement 의 SBOM 요구.
Open source의 sustainability
대부분 OSS 가 unpaid.
- Maintainer burnout.
- Critical infra (xz, OpenSSL) 의 작은 team.
- Sponsorship (GitHub Sponsors, Open Collective).
→ Supply chain 의 root issue.
Tools
SBOM: Syft, npm sbom, docker sbom.
Vulnerability: Grype, Trivy, Snyk.
Signing: Cosign (Sigstore).
Provenance: SLSA, npm provenance.
Compliance: FOSSA, BlackDuck.
Detect malicious: Socket, Phylum.
Best practice
1. SBOM 매 release.
2. Sign all artifact (cosign).
3. Scan in CI (trivy).
4. Auto-patch (Renovate).
5. Lock file 매 commit.
6. Reproducible build.
7. Internal mirror.
8. Distroless image.
CI integration
- name: SBOM
uses: anchore/syft-action@v0
- name: Scan
uses: anchore/grype-action@v0
- name: Sign
uses: sigstore/cosign-installer@v3
with: { sign: true }
함정
- SBOM 만 + scan 없음: visibility 만.
- "Latest" tag: drift.
- No provenance: build 의 origin 모름.
- Manual CVE patch: slow.
- Lock file 없음: drift.
- Minimal base 가짜 (still big base).
🤔 의사결정 기준
| 작업 | 추천 |
|---|---|
| SBOM | Syft / npm sbom |
| Scan | Trivy / Grype |
| Signing | Cosign / Sigstore |
| Provenance | npm provenance / SLSA |
| Auto patch | Renovate / Dependabot |
| License | FOSSA / license-checker |
| Malicious | Socket / Phylum |
❌ 안티패턴
- No SBOM: visibility X.
- Latest tag: drift.
- No signing: 누구가 build?.
- Manual patch: slow.
- Lock file 없음: reproducibility X.
- External mirror trust: attack risk.
- Maintainer 1: bus factor.
🤖 LLM 활용 힌트
- SBOM = 매 component visibility.
- Sigstore + cosign = signing.
- SLSA = supply chain levels.
- 매 release = SBOM + sign + scan.