Supply-chain incident response

When a dependency or build is compromised.

Advanced12 min · lesson 17 of 18

When a supply-chain compromise happens — a dependency is found backdoored, a build system is breached, a signing identity is misused — the response differs from a normal incident in one defining way: you must assume everything that touched or was produced by the compromised link is suspect. It is not "which server was hit" but "which artifacts were built with this poisoned dependency, and everywhere they were deployed." The blast radius follows the supply chain outward, and your job is to trace it.

Supply-chain incident response
1scope
which artifacts + deploys touched it
2contain
block, revoke, halt the pipeline
3eradicate
rebuild clean, rotate secrets
4recover + learn
redeploy verified; add a control
The SBOMs, provenance, and Rekor log you built earlier are exactly the forensic trail that makes scoping possible.

Your earlier investments are the forensic trail

This is where the whole course pays off defensively. SBOMs let you query which artifacts contain the compromised component in minutes. Provenance and the Rekor transparency log let you determine what was built when, by which pipeline, and whether signing was misused. Registry and deploy records show where affected images ran. Without these, scoping a supply-chain incident is a blind, days-long hunt; with them, it is a series of queries. The evidence you generate on every build is the same evidence you need on the worst day.

Contain, eradicate, and rotate broadly

Containment means stopping the spread: block the compromised images at admission, revoke the affected signing identity or credentials, and halt the pipeline path that produced them. Eradication means rebuilding cleanly from verified source and dependencies — not patching the poisoned artifact — and rotating every secret the compromised link could have touched, because in a build-system breach that is potentially all of them. Then redeploy verified artifacts and, critically, add the control that would have caught it, so the same class of attack cannot recur.

Assume the blast radius is larger than it looks
Supply-chain compromises spread quietly through trust: one poisoned dependency or one breached build touches every artifact it was part of and every place they deployed, often across teams that do not know they are affected. Scope generously, rotate credentials broadly (a compromised builder may have seen many), and rebuild rather than clean. Underestimating the reach — "it was just one library" — is how a contained incident quietly persists.