OpenClaw · Supply Chain Security

Supply Chain Security — You deploy dependencies without SBOM. SolarWinds attack, your build system is compromised. All containers are malicious.

You deploy dependencies without SBOM. SolarWinds attack, your build system is compromised. All containers are malicious. Here's how to prevent it.

"Not a Pentest" Trust-Anker: Supply chain security guide for your own software supply chain.

What is Supply Chain Security? Simply explained.

Supply chain security means: secure your software supply chain — from dependencies through build systems to deployment. Risks: compromised packages (SolarWinds, XZ Utils), typosquatting, dependency confusion, malicious maintainers. Good supply chain security: SBOM generation, dependency pinning, container signing (Sigstore), build provenance, dependency scanning in CI/CD.

↓ Jump to technical depth

4 Supply Chain Controls

S1SBOM Generation

Generate Software Bill of Materials (SBOM) with Syft and scan for vulnerabilities with Grype.

# SBOM mit Syft generieren (CycloneDX Format)
syft packages dir:. -o cyclonedx-json > sbom.json

# SBOM auf Vulnerabilities prüfen (Grype)
grype sbom:sbom.json --fail-on critical

# npm SBOM (für Node.js)
npm sbom --sbom-format cyclonedx > npm-sbom.json

# Container SBOM
syft ghcr.io/clawguru/openclaw:latest \
  -o cyclonedx-json > container-sbom.json

S2Dependency Pinning

Pin dependencies to specific versions — no floating tags (latest), SHA256 digests for container images.

# package-lock.json committen (Node.js)
# Lock-File enthält exakte Versionen und Hashes

# Container Images mit SHA256-Digest pinnen
# BAD: myimage:latest
# GOOD: myimage@sha256:abc123...

# Docker Compose mit Digests
services:
  app:
    image: myimage@sha256:abc123def456...

S3Sigstore Container Signing

Sign container images with cosign and verify — build provenance and integrity checks.

# Container Image signieren
cosign sign --key cosign.key ghcr.io/clawguru/openclaw:latest

# Image verifizieren (Deployment)
cosign verify ghcr.io/clawguru/openclaw:latest

# SBOM Attestation anhängen
cosign attest \
  --predicate sbom.json \
  --type cyclonedx \
  ghcr.io/clawguru/openclaw:latest

# Attestation verifizieren
cosign verify-attestation \
  --type cyclonedx \
  ghcr.io/clawguru/openclaw:latest

S4Dependency Scanning in CI/CD

Automated dependency scanning in CI/CD pipeline — npm audit, pip-audit, trivy as mandatory step.

# GitHub Actions: npm audit
- name: Run npm audit
  run: npm audit --audit-level=moderate

# Trivy FS Scan
- name: Run Trivy vulnerability scanner
  uses: aquasecurity/trivy-action@master
  with:
    scan-type: 'fs'
    scan-ref: '.'
    format: 'sarif'
    output: 'trivy-results.sarif'

# Bei HIGH/CRITICAL Build abbrechen
# Fail fast on security issues

Real-World Scars: Production Incidents

SCAR #1: SolarWinds Supply Chain AttackCRITICAL

Build system compromised, malicious code distributed in Orion updates. 18,000+ customers affected. Fix: Hermetic builds, build provenance, container signing.

Root Cause: Compromised build system. Lessons: Hermetic builds + provenance.

SCAR #2: XZ Utils BackdoorHIGH

Malicious maintainer planted backdoor in XZ Utils (SSH server). SSH keys compromised. Fix: Minimal dependencies, maintainer audit, SBOM verification.

Root Cause: Malicious maintainer. Lessons: Maintainer audit + minimal dependencies.

Immediate Actions: What to do today?

Generate SBOM

Install Syft, generate SBOM for all images.

Dependency pinning

Commit package-lock.json, pin container images with SHA256.

Set up Sigstore

Install cosign, sign and verify images.

CI/CD dependency scanning

npm audit/trivy as mandatory step in CI pipeline.

Interactive Supply Chain Security Checklist

Supply Chain Security Score Calculator

Is SBOM generated?

Is dependency pinning enabled?

Are container images signed?

Is dependency scanning in CI/CD?

Your Supply Chain Security Score:0/100

Industry Average: 15/100

Frequently Asked Questions

What is an SBOM and why do I need it?

SBOM (Software Bill of Materials) is an inventory list of all dependencies in your software — including versions, licenses and vulnerabilities. You need it for: compliance (NIST, EU AI Act), incident response (which packages are affected?), vulnerability management (proactive scanning), supply chain security (transparency over your dependencies).

Dependency pinning vs latest — what to use?

Always pin. Floating tags (latest, v2, main) are a security risk — you don't know what gets deployed. Pinning: package-lock.json (Node.js), requirements.txt with hashes (Python), SHA256 digests for container images. Exception: dev-dependencies can auto-update with Renovate/Dependabot.

Sigstore vs GPG for container signing?

Sigstore (cosign) is more modern and easier: No key management overhead (keys stored in Rekorde log), OIDC integration for CI/CD (GitHub Actions, GitLab CI), build provenance automatically attested, verification without key exchange. GPG: Manual key management, manual build provenance, more complex integration. Recommendation: Sigstore for new projects.

Protection against SolarWinds-style attacks?

SolarWinds was a supply chain attack via compromised build systems. Protection: Hermetic builds (build in isolated environment without internet), build provenance (who built what when?), SBOM verification (does SBOM match deploy?), container signing (only deploy signed images), CI/CD hardening (MFA, branch protection, audit logs).

R. Schwertfechter

✓ Verified

Principal Ops-Engineer & Security Architect

📅 Published: 01.05.2026🔄 Last reviewed: 01.05.2026

15+ years experience as Ops-Engineer, Incident Responder and Security Architect. Expert in supply chain security, SBOM, Sigstore and build provenance.

Further Resources

Security Check

Dependency scan

Supply Chain Runbooks