Supply Chain - Tag - vo.rshttps://vo.rs/tags/supply-chain/Supply Chain - Tag - vo.rsHugo -- gohugo.ioenThis work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.Fri, 21 Nov 2025 07:00:00 +0000SBOM: Software Bill of Materials and Why You Should Care About Your Dependencieshttps://vo.rs/story/sbom-software-bill-of-materials-and-why-you-should-care-about-your-dependencies/<p>Every time a serious supply-chain vulnerability lands, the same scramble begins. Someone in a chat channel asks &ldquo;are we affected?&rdquo; and the honest answer, for most teams, is &ldquo;give us a few days and we&rsquo;ll tell you.&rdquo; That few days is the gap an SBOM is meant to close. A Software Bill of Materials is just an inventory — a machine-readable list of every component that went into a build — but having one ready before the panic is the difference between an afternoon and a fortnight.</p>Fri, 21 Nov 2025 07:00:00 +0000Sigstore and Cosign: Verifying Container Images Before They Runhttps://vo.rs/story/sigstore-and-cosign-verifying-container-images-before-they-run/<p>A container tag is a lie you&rsquo;ve agreed to believe. <code>nginx:latest</code> today and <code>nginx:latest</code> next week can be entirely different bytes, and a tag tells you nothing about who built the image or whether it&rsquo;s been swapped underneath you. The whole modern supply-chain panic — compromised build pipelines, typosquatted images, dependency confusion — comes down to that one weak link: we run images we can&rsquo;t actually verify. Sigstore, and its CLI <code>cosign</code>, is the most practical fix I&rsquo;ve adopted, mostly because it finally killed the part of signing that everyone hated: key management.</p>Fri, 17 Oct 2025 14:00:00 +0000Supply Chain Attacks: From npm Typosquatting to Poisoned Container Imageshttps://vo.rs/story/supply-chain-attacks-from-npm-typosquatting-to-poisoned-container-images/<p>The most effective way to attack a company isn&rsquo;t to break down its front door. It&rsquo;s to be standing inside the delivery van that the company waves through the gate every morning. Supply chain attacks work because they exploit the one thing every developer does without thinking: pull in code and images they didn&rsquo;t write, from people they&rsquo;ve never met, and run them with full trust.</p> <p>You did it this morning. <code>npm install</code>. <code>docker pull</code>. <code>pip install</code>. Each one is an act of faith that the thing at the other end is what it claims to be and hasn&rsquo;t been tampered with since you last looked. Mostly that faith is rewarded. The supply chain attacker&rsquo;s entire business is the times it isn&rsquo;t.</p>Tue, 12 Nov 2024 09:00:00 +0000