Supply-chain incident response
When a dependency or build is compromised.
When a supply-chain compromise happens — a dependency is found backdoored, a build system is breached, a signing identity is misused — the response differs from a normal incident in one defining way: you must assume everything that touched or was produced by the compromised link is suspect. It is not "which server was hit" but "which artifacts were built with this poisoned dependency, and everywhere they were deployed." The blast radius follows the supply chain outward, and your job is to trace it.
Your earlier investments are the forensic trail
This is where the whole course pays off defensively. SBOMs let you query which artifacts contain the compromised component in minutes. Provenance and the Rekor transparency log let you determine what was built when, by which pipeline, and whether signing was misused. Registry and deploy records show where affected images ran. Without these, scoping a supply-chain incident is a blind, days-long hunt; with them, it is a series of queries. The evidence you generate on every build is the same evidence you need on the worst day.
Contain, eradicate, and rotate broadly
Containment means stopping the spread: block the compromised images at admission, revoke the affected signing identity or credentials, and halt the pipeline path that produced them. Eradication means rebuilding cleanly from verified source and dependencies — not patching the poisoned artifact — and rotating every secret the compromised link could have touched, because in a build-system breach that is potentially all of them. Then redeploy verified artifacts and, critically, add the control that would have caught it, so the same class of attack cannot recur.