Supply Chain

Overview

High profile attacks like Log4Shell, ChaosDB and AzureScape demonstrated how supply chain vulnerabilities can go unnoticed and become extremely public, disruptive and costly incidents. Organizations developing applications in the public cloud rely on a verifiable packaging constructs to be able to securely ship their code. When those constructs become compromised it is up to developers to identify what infrastructure may have been impacted and which artifacts should be remediated.

About the Graph

The Supply Chain Graph is a real-time attestation of the artifacts used to build, configure and invoke cloud infrastructure. The data represented in the graph reflects an opinionated supply chain attack surface of your repositories and describes how cloud infrastructure and applications may become compromised.

Auto Discovery

The graph is updated in real-time based on periodic scanning of VCS default branches, CI/CD runs and active cloud accounts. Code and Code assets are extracted and modeled using existing Bridgecrew scanners.

Resource Data

Resources in the graph are chained based on the technologies used to deploy them. They are also ordered by number of errors/vulnerabilities associated to them. The root node is the Git Organization hosting the subject Repository. Under repository, you will find your Files. Depending on the application or infrastructure technology you use, Files will then include their dependent assets. For example, IaC files will render Resource Blocks, whereas NPM files, will render packages.

Code to Cloud

Select technologies enable full tracing between IaC resource block and a running cloud configuration.

Filters

  • Status: Use this filter to select if you want to review assets based on their Security scan results. By default, Open is selected to show assets that have failed a scan and now include open errors/vulnerabilities. Accordingly selecting Passed or Suppressed will render resources that have either not failed a scan or manually suppressed.
  • Repository: Use this filter to toggle between connected repositories onboarded to your organization.
  • File types: Use this filter to zoom in on specific technology types and assess their overall risk posture.

Search

Use the graph's embedded search function to analyze the recurrence of a file, package or resource and evaluate its risk posture. You can use Search to find explicit and implicit use of vulnerable modules and packages. Use exact matches or free-text matches of know vulnerable software components to pinpoint risks associated to them on the graph.

1906

Search for a known vulnerable package to trace its prevalence

SCA Dependency Tree

Users often employ code based on open source packages, whose own code is based on other open source packages, and so on. The root package manager deployed by a certain repository, as well as the dependencies (sub-packages) it unpacks, may each have their own vulnerabilities or issues with non-compliant licenses. Such issues are not always transparent to the user.
To expose the user to the issues in each package in the hierarchy, the Supply Chain page offers a Dependency Tree display, comprising a detailed diagram of all open source (SCA) dependencies.
For more details about Bridgecrew's open source module, including vulnerabilities and non-compliant licenses in particular, see Open Source (SCA).

To view the issues in your open source packages:

  1. Under Repository, select the repository you want to review.
    The root packages deployed by the selected repository are displayed, as well as the dependencies they unpack.
  2. Click >> next to each dependency to expand it and view the list of its required dependencies.
1092 1094
  1. Select a specific package dependency from the tree to view its details in the Resource Explorer.
  2. Go to Errors. Here, from the Policy / Vulnerability dropdown, you can navigate between licenses and vulnerabilities (CVEs).
    For more information about the details displayed here, see Resource Explorer.
1085
310

Navigate between licenses and CVEs

In the example below, you can see License data on the left and CVE data on the right.

919
  1. To close the dependency tree and view the flat supply chain, click <<.

📘

Note

Fixes of SCA vulnerabilities can be done from either from the Resource Explorer pane or from the Projects page. The former is more general and bumps up the package to the version that fixes most vulnerabilities, while the latter offers more fix options. See Open Source (SCA) for more detail.

Supply Chain Fix

Click Submit a Pull Request in the Resource Explorer to create a single PR of all fixable code assets found in the graph. This new fix function enables opening a single PR to clear out all the misconfigured infrastructure or vulnerabilities in a given repo. Alternatively, you can open a fix only on a subset of assets defined by the Search.

Supply Chain Policies

Git-based VCS or CI configurations are now continuously evaluated by Checkov and Bridgecrew. For more information see the policy index.

Data Model

NodeDestination EdgeSupported servicesExample
OrganizationOwnsGitHub.com
GitHub Enterprise
GitLab.com
GitLab Enterprise
BitBucket Server
BitBucket Cloud
Azure Repos
Bridgecrew
RepositoryDeploys☝️Checkov
FilesUnpacks
Builds
Declares
Configured by
IaC: Terraform, CloudFormation, Kubernetes, ARM Templates, Docker
Open Source: NPM, Gradle, PIP, Maven, GO
CI/CD: -
ec.tf
dockerfile
pipfile
ResourcesProvisions☝️
Dependants/Dependencies-Cloud Providers: AWS, GCP, Azure
IaC: Terraform, CloudFormation, Kubernetes
Open Source: -