Supply Chain Security Audit

Tip: Syft generates SBOMs in SPDX and CycloneDX formats from source, containers, and filesystems. Run it against both the source repo and the built container image - they often differ because build steps pull additional dependencies. Feed the SBOM into OSV-Scanner for vulnerability matching against the OSV database, which aggregates CVEs from multiple ecosystems.

Tip: Grype provides fast vulnerability matching with detailed CVE information and fix versions. Use retire.js specifically for JavaScript/Node projects where transitive dependency chains get absurdly deep. Check whether vulnerable functions are actually reachable from your code before raising critical alerts - many CVEs affect functionality that the application never touches.

Tip: Gitleaks scans the full git history by default and uses regex plus entropy detection. TruffleHog goes further by actually verifying found credentials against live services to confirm they're active. Run both - they use different detection approaches and catch different things. Pay special attention to .env.example files, docker-compose files, and CI config that often contain real credentials disguised as examples.

Tip: Dockle specifically audits Dockerfiles and images against CIS Docker Benchmark best practices - it catches issues like missing USER directives, ADD instead of COPY, and latest tags. Trivy scans the image filesystem for OS and application vulnerabilities simultaneously. Check if the image contains build tools, package managers, or shells that shouldn't be present in production images.

Tip: Checkov covers Terraform, CloudFormation, Kubernetes, Helm, and Dockerfile with 1000+ built-in policies. KICS (Keeping Infrastructure as Code Secure) provides additional coverage for Ansible, Docker Compose, and Pulumi. Semgrep with its supply-chain rules catches patterns like dependency confusion risks and unsafe package installation. Run all three - overlap is minimal and each catches unique issues.

Tip: Semgrep with community rulesets covers most languages and catches injection, auth, and crypto issues with low false positive rates. Bandit is Python-specific and catches issues like subprocess shell=True and hardcoded passwords. Bearer focuses on data flow and sensitive data exposure. Write custom Semgrep rules for your organization's specific anti-patterns - generic rules miss domain-specific issues.

Tip: Prioritize by actual exploitability, not just CVSS score. A critical CVE with no public exploit in a dependency you don't directly invoke is lower priority than a high-severity issue with a Metasploit module in code you call on every request. Include a dependency update policy recommendation - automated PRs for patch versions, manual review for minor/major. Flag any dependencies with recent maintainer transfers or suspicious activity.