From aebe06b786c4b3e8be420f07b863ce8b779b3f9e Mon Sep 17 00:00:00 2001 From: Matteo Meucci Date: Thu, 20 Nov 2025 23:27:53 +0100 Subject: [PATCH] Update AITG-INF-01_Testing_for_Supply_Chain_Tampering.md --- ...ITG-INF-01_Testing_for_Supply_Chain_Tampering.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/Document/content/tests/AITG-INF-01_Testing_for_Supply_Chain_Tampering.md b/Document/content/tests/AITG-INF-01_Testing_for_Supply_Chain_Tampering.md index 6a70895..035e74f 100644 --- a/Document/content/tests/AITG-INF-01_Testing_for_Supply_Chain_Tampering.md +++ b/Document/content/tests/AITG-INF-01_Testing_for_Supply_Chain_Tampering.md @@ -15,19 +15,18 @@ Supply Chain Tampering involves unauthorized modifications or compromises introd **1. Dependency Poisoning** -Test: Use a Software Composition Analysis (SCA) tool like `Trivy` or `OWASP Dependency-Check` to scan the project's dependencies (`requirements.txt`, `package.json`, etc.) for known vulnerabilities. - -Response Indicating Vulnerability: The scan identifies one or more dependencies with `HIGH` or `CRITICAL` severity vulnerabilities, indicating that the project is susceptible to exploitation through its third-party libraries. +- Test: Use a Software Composition Analysis (SCA) tool like `Trivy` or `OWASP Dependency-Check` to scan the project's dependencies (`requirements.txt`, `package.json`, etc.) for known vulnerabilities. +- Response Indicating Vulnerability: The scan identifies one or more dependencies with `HIGH` or `CRITICAL` severity vulnerabilities, indicating that the project is susceptible to exploitation through its third-party libraries. **2. Container/Image Manipulation** -Test: Use a container scanner like `Trivy` or `Anchore` to scan the Docker image used for deployment. -Response Indicating Vulnerability: The scan reveals critical vulnerabilities in the base OS packages or libraries included in the image, which could be exploited at runtime. +- Test: Use a container scanner like `Trivy` or `Anchore` to scan the Docker image used for deployment. +- Response Indicating Vulnerability: The scan reveals critical vulnerabilities in the base OS packages or libraries included in the image, which could be exploited at runtime. **3. CI/CD Pipeline Tampering** -Test: Review the CI/CD pipeline configuration (e.g., `Jenkinsfile`, `gitlab-ci.yml`) for security misconfigurations. Check for hardcoded secrets, insufficient access controls on build steps, or build scripts that pull resources from untrusted locations. -Response Indicating Vulnerability: The pipeline configuration allows unauthenticated or unauthorized modifications, contains hardcoded secrets, or uses unsigned/unverified artifacts during the build process. +- Test: Review the CI/CD pipeline configuration (e.g., `Jenkinsfile`, `gitlab-ci.yml`) for security misconfigurations. Check for hardcoded secrets, insufficient access controls on build steps, or build scripts that pull resources from untrusted locations. +- Response Indicating Vulnerability: The pipeline configuration allows unauthenticated or unauthorized modifications, contains hardcoded secrets, or uses unsigned/unverified artifacts during the build process. ### Expected Output