The software supply chain & why it is targeted
Every link from commit to cluster is attack surface.
Your software supply chain is every input and every step between a developer’s idea and the artifact running in production — the source code, the dependencies you pull in, the build system, the container base, the CI pipeline, the registry, and the deploy. Traditional security guards the running application; supply-chain security guards how it was made, because an attacker who compromises any link ships their code inside your trusted artifact, past your perimeter, signed by your name.
Why the supply chain became the target
Attackers follow leverage. Directly breaching a hardened production system is hard; poisoning a widely-used dependency or a build system compromises everyone downstream at once. A typical service is 80–90% third-party code you did not write and rarely read, running builds on automation that holds production credentials — an enormous, under-defended surface. That asymmetry is why supply-chain attacks moved from theoretical to among the most damaging incidents of recent years.
The shift from "is it vulnerable" to "can I trust it"
Vulnerability scanning asks whether an artifact has a known flaw. Supply-chain security asks a different, deeper question: can I trust that this artifact is what it claims to be — built from the source I reviewed, by the pipeline I control, with the dependencies I approved, untampered end to end? Answering that requires making every step verifiable: signed commits, provenance, SBOMs, signatures, and verification at the gate. This course builds that chain of trust link by link.