System Design Space
Knowledge graphSettings

Updated: February 21, 2026 at 11:59 PM

Supply Chain Security

mid

Software supply chain protection: SBOM, dependency hygiene, CI/CD hardening, artifact signing and provenance verification.

Context

Secrets Management Patterns

Supply chain security begins with secure pipeline credentials and isolated trust boundaries.

Open chapter

Supply Chain Security protects the path from source code to runtime. The main idea: trust only verifiable artifacts and automate checks at each stage of delivery, so that compromise of one step does not lead to a system incident.

Supply chain layers and controls

Source & dependencies

Dependency pinning, allow-lists, vulnerability scanning, signed commits/tags, branch protection.

Build & CI/CD

Ephemeral runners, least-privileged CI tokens, isolated build steps, provenance generation.

Artifacts & registries

Artifact signing, immutable registries, SBOM publication, policy checks before promotion.

Deploy & runtime

Admission policies, image signature verification, runtime detection and fast rollback.

Key practices

  • Maintain SBOM for key services and check it against real artifacts in production.
  • Sign containers/binaries and verify signatures at the deploy stage.
  • Enter provenance/attestation for the build pipeline (who, with what and when assembled the artifact).
  • Minimize the blast radius of CI secrets: short-lived tokens, scoped credentials, separate trust zones.
  • Perform regular dependency hygiene and patch windows based on CVE severity.

Validation

Testing Distributed Systems

Security drills and compromise simulations are just as important as functional tests.

Open chapter

Maturity model

Each level adds new control mechanisms. Skipping steps is risky: sudden leaps in maturity usually break down on operational details.
1

Level 1: Visibility

Inventory of dependencies and artifacts, basic vulnerabilities scan, supply chain owners.

2

Level 2: Control

Policy gates in CI/CD, mandatory code review, artifact immutability, secret hygiene.

3

Level 3: Verifiability

Signing + attestations + deploy-time verification, full traceability from commit to runtime.

4

Level 4: Resilience

Regular drills, compromise simulations, fast containment and rollback without manual chaos.

Typical antipatterns

CI/CD with long-lived admin tokens without rights segmentation.

Production deployment of artifacts that do not have provenance and signature.

Using latest tags and unpinned dependencies in critical services.

The SBOM is created formally, but does not participate in release policies.

References

Related chapters

Enable tracking in Settings

System Design Space

© 2026 Alexander Polomodov

FAQContacts