Vendor & SBOM Governance Review
Document the vendor-side failure mode, the gaps in internal supply-chain governance that let the malicious artifact through, and the specific controls (SBOM, signing, admission, anomaly detection) that must be added.
Actions
- 1
Write a short timeline: vendor compromise, malicious release, internal ingestion, detection, containment. Identify the earliest control that could have caught the issue and why it did not.
- 2
Assess SBOM coverage: which systems produced SBOMs, how frequently, were they stored queryable, could you answer "who has this package version" in minutes, not days?
- 3
Assess artifact signing and verification: was signature verification enforced on install and on runtime? Were allowlists used for acceptable signers? Was there drift?
- 4
Assess build-time admission controls (Sigstore/Cosign verification, OPA/Conftest policies on package sources) and runtime admission (Kyverno/Gatekeeper policies on image provenance).
- 5
Document specific control improvements with owners and dates: SBOM storage + query, signature verification enforcement, provenance attestation, dependency anomaly detection (e.g., sudden new maintainer, fast-follower version bump).
Queries
Does the CI/CD pipeline fail closed or fail open when SBOM generation or signature verification fails?
How many of our critical vendors have documented forensic-readiness and customer-notification commitments?
Notes
Supply-chain review should produce concrete control additions, not a generic "improve process" recommendation.
Peer and industry sharing of lessons learned is disproportionately valuable in supply-chain incidents -- consider contributing an anonymized account to an ISAC.