Practical, cross-ecosystem guidance for defending against software supply chain attacks.
Maintained as a living repository because controls in this space evolve continuously across package managers, registries, and tooling. This also enable contribution, hopefully providing an up-to-date and robust set of controls that anyone can benefit from.
- Read the prioritization framework
- Implement the core controls described in controls
- Review ecosystem-specific guidance for your stack
- Open an issue if guidance appears outdated
- Lock dependencies and verify integrity
- Disable or allowlist install-time lifecycle scripts
- Enforce version cooldown periods
- Require hardware-backed MFA for publisher accounts
See CONTRIBUTING.md.
-
Phase 1 (current): Markdown documentation, front matter metadata, issue templates, branch protection.
-
Phase 2: Structured YAML control catalog, automated table generation, per-ecosystem CODEOWNERS expansion.
-
Phase 3: GitHub Pages publication, generated comparison tables from structured data.
-
Phase 4: Versioned releases, downloadable snapshots, additional ecosystems.
This guide was originally published as a blog post at Bugscale: https://bugscale.ch/blog/defending-against-software-supply-chain-attacks-a-cross-ecosystem-guide
The blog post remains available for historical context. The repository is the canonical, maintained version.
Documentation is licensed under CC BY 4.0. Scripts and code snippets are licensed under Apache-2.0. See LICENSE for details.