CalvinBackup/www-project-ai-testing-guide
1
0
Fork 0
mirror of https://github.com/OWASP/www-project-ai-testing-guide.git synced 2026-05-31 19:41:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update AITG-INF-01_Testing_for_Supply_Chain_Tampering.md

Browse Source
This commit is contained in:
Matteo Meucci
2025-11-20 23:27:53 +01:00
committed by GitHub
parent 807c5b9800
commit aebe06b786
1 changed files with 6 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Document/content/tests/AITG-INF-01_Testing_for_Supply_Chain_Tampering.md
+6 -7
View File
@@ -15,19 +15,18 @@ Supply Chain Tampering involves unauthorized modifications or compromises introd
**1. Dependency Poisoning**
Test: Use a Software Composition Analysis (SCA) tool like `Trivy` or `OWASP Dependency-Check` to scan the project's dependencies (`requirements.txt`, `package.json`, etc.) for known vulnerabilities.
Response Indicating Vulnerability: The scan identifies one or more dependencies with `HIGH` or `CRITICAL` severity vulnerabilities, indicating that the project is susceptible to exploitation through its third-party libraries.
- Test: Use a Software Composition Analysis (SCA) tool like `Trivy` or `OWASP Dependency-Check` to scan the project's dependencies (`requirements.txt`, `package.json`, etc.) for known vulnerabilities.
- Response Indicating Vulnerability: The scan identifies one or more dependencies with `HIGH` or `CRITICAL` severity vulnerabilities, indicating that the project is susceptible to exploitation through its third-party libraries.
**2. Container/Image Manipulation**
Test: Use a container scanner like `Trivy` or `Anchore` to scan the Docker image used for deployment.
Response Indicating Vulnerability: The scan reveals critical vulnerabilities in the base OS packages or libraries included in the image, which could be exploited at runtime.
- Test: Use a container scanner like `Trivy` or `Anchore` to scan the Docker image used for deployment.
- Response Indicating Vulnerability: The scan reveals critical vulnerabilities in the base OS packages or libraries included in the image, which could be exploited at runtime.
**3. CI/CD Pipeline Tampering**
Test: Review the CI/CD pipeline configuration (e.g., `Jenkinsfile`, `gitlab-ci.yml`) for security misconfigurations. Check for hardcoded secrets, insufficient access controls on build steps, or build scripts that pull resources from untrusted locations.
Response Indicating Vulnerability: The pipeline configuration allows unauthenticated or unauthorized modifications, contains hardcoded secrets, or uses unsigned/unverified artifacts during the build process.
- Test: Review the CI/CD pipeline configuration (e.g., `Jenkinsfile`, `gitlab-ci.yml`) for security misconfigurations. Check for hardcoded secrets, insufficient access controls on build steps, or build scripts that pull resources from untrusted locations.
- Response Indicating Vulnerability: The pipeline configuration allows unauthenticated or unauthorized modifications, contains hardcoded secrets, or uses unsigned/unverified artifacts during the build process.
### Expected Output