Supply Chain

Overview

High profile attacks like Log4Shell, ChaosDB and AzureScape demonstrated how supply chain vulnerabilities can go unnoticed and become extremely public, disruptive and costly incidents. Organizations developing applications in the public cloud rely on a verifiable packaging constructs to be able to securely ship their code. When those constructs become compromised it is up to developers to identify what infrastructure may have been impacted and which artifacts should be remediated.

About the Graph

The Supply Chain Graph is a real-time attestation of the artifacts used to build, configure and invoke cloud infrastructure. The data represented in the graph reflects an opinionated supply chain attack surface of your repositories and describes how cloud infrastructure and applications may become compromised.

Auto Discovery

The graph is updated in real-time based on periodic scanning of VCS default branches, CI/CD runs and active cloud accounts. Code and Code assets are extracted and modeled using existing Bridgecrew scanners.

Resource Data

Resources in the graph are chained based on the technologies used to deploy them. They are also ordered by number of errors/vulnerabilities associated to them. The root node is the Git Organization hosting the subject Repository. Under repository, you will find your Files. Depending on the application or infrastructure technology you use, Files will then include their dependent assets. For example, IaC files will render Resource Blocks, whereas NPM files, will render packages.

Code to Cloud

Select technologies enable full tracing between IaC resource block and a running cloud configuration.

Filters

  1. Status: Use this filter to select if you want to review assets based on their Security scan results. By default, Open is selected to show assets that have failed a scan and now include open errors/vulnerabilities. Accordingly selecting Passed or Suppressed will render resources that have either not failed a scan or manually suppressed.
  2. Git Repository: Use this filter to toggle between connected repositories onboarded to your organization.
  3. File types: Use this filter to zoom in on specific technology types and assess their overall risk posture.

Search

Use the graph's embedded search function to analyze the recurrence of a file, package or resource and evaluate its risk posture. You can use Search to find explicit and implicit use of vulnerable modules and packages. Use exact matches or free-text matches of know vulnerable software components to pinpoint risks associated to them on the graph.

Search for a known vulnerable package to trace its prevalenceSearch for a known vulnerable package to trace its prevalence

Search for a known vulnerable package to trace its prevalence

Supply Chain Fix

By clicking Submit a Pull Request on a loaded view of the graph creates a single PR of all fixable code assets found in the graph. This new fix function enables opening a single PR to clear out all the misconfigured infrastructure or vulnerabilities in a given repo. Alternatively you can open a fix only on a subset of assets defined by the Search.

Supply Chain Policies

Git-based VCS or CI configurations are now continuously evaluated by Checkov and Bridgecrew. For more information see the policy index.

Data Model

Node

Destination Edge

Supported services

Example

Organization

Owns

GitHub.com
GitHub Enterprise
GitLab.com
GitLab Enterprise
BitBucket Server
BitBucket Cloud
Azure Repos

Bridgecrew

Repository

Deploys

☝️

Checkov

Files

Unpacks
Builds
Declares
Configured by

IaC: Terraform, CloudFormation, Kubernetes, ARM Templates, Docker
Open Source: NPM, Gradle, PIP, Maven, GO
CI/CD: -

ec.tf
dockerfile
pipfile

Resources

Provisions

☝️

Dependants/Dependencies

Cloud Providers: AWS, GCP, Azure
IaC: Terraform, CloudFormation, Kubernetes
Open Source: -


Did this page help you?