Supply Chain
Overview
High profile attacks like Log4Shell, ChaosDB and AzureScape demonstrated how supply chain vulnerabilities can go unnoticed and become extremely public, disruptive and costly incidents. Organizations developing applications in the public cloud rely on a verifiable packaging constructs to be able to securely ship their code. When those constructs become compromised it is up to developers to identify what infrastructure may have been impacted and which artifacts should be remediated.
About the Graph
The Supply Chain Graph is a real-time attestation of the artifacts used to build, configure and invoke cloud infrastructure. The data represented in the graph reflects an opinionated supply chain attack surface of your repositories and describes how cloud infrastructure and applications may become compromised.
Auto Discovery
The graph is updated in real-time based on periodic scanning of VCS default branches, CI/CD runs and active cloud accounts. Code and Code assets are extracted and modeled using existing Bridgecrew scanners.
Resource Data
Resources in the graph are chained based on the technologies used to deploy them. They are also ordered by number of errors/vulnerabilities associated to them. The root node is the Git Organization hosting the subject Repository. Under repository, you will find your Files. Depending on the application or infrastructure technology you use, Files will then include their dependent assets. For example, IaC files will render Resource Blocks, whereas NPM files, will render packages.
Code to Cloud
Select technologies enable full tracing between IaC resource block and a running cloud configuration.
Filters
- Status: Use this filter to select if you want to review assets based on their Security scan results. By default,
Open
is selected to show assets that have failed a scan and now include open errors/vulnerabilities. Accordingly selectingPassed
orSuppressed
will render resources that have either not failed a scan or manually suppressed. - Git Repository: Use this filter to toggle between connected repositories onboarded to your organization.
- File types: Use this filter to zoom in on specific technology types and assess their overall risk posture.
Search
Use the graph's embedded search function to analyze the recurrence of a file, package or resource and evaluate its risk posture. You can use Search to find explicit and implicit use of vulnerable modules and packages. Use exact matches or free-text matches of know vulnerable software components to pinpoint risks associated to them on the graph.


Search for a known vulnerable package to trace its prevalence
Supply Chain Fix
By clicking Submit a Pull Request on a loaded view of the graph creates a single PR of all fixable code assets found in the graph. This new fix function enables opening a single PR to clear out all the misconfigured infrastructure or vulnerabilities in a given repo. Alternatively you can open a fix only on a subset of assets defined by the Search.
Supply Chain Policies
Git-based VCS or CI configurations are now continuously evaluated by Checkov and Bridgecrew. For more information see the policy index.
Data Model
Node | Destination Edge | Supported services | Example |
---|---|---|---|
Organization | Owns | GitHub.com | |
Repository | Deploys | ☝️ | |
Files | Unpacks | IaC: Terraform, CloudFormation, Kubernetes, ARM Templates, Docker | |
Resources | Provisions | ☝️ | |
Dependants/Dependencies | Cloud Providers: AWS, GCP, Azure |
Updated 11 days ago