Update AITG-INF-01_Testing_for_Supply_Chain_Tampering.md

This commit is contained in:
Matteo Meucci
2025-11-20 22:57:44 +01:00
committed by GitHub
parent 38aa5b6f79
commit ca4950827f
@@ -13,20 +13,21 @@ Supply Chain Tampering involves unauthorized modifications or compromises introd
### How to Test/Payloads
**Payload 1: Dependency Poisoning**
**1. Dependency Poisoning**
- **Test:** Use a Software Composition Analysis (SCA) tool like `Trivy` or `OWASP Dependency-Check` to scan the project's dependencies (`requirements.txt`, `package.json`, etc.) for known vulnerabilities.
- **Response Indicating Vulnerability:** The scan identifies one or more dependencies with `HIGH` or `CRITICAL` severity vulnerabilities, indicating that the project is susceptible to exploitation through its third-party libraries.
Test: Use a Software Composition Analysis (SCA) tool like `Trivy` or `OWASP Dependency-Check` to scan the project's dependencies (`requirements.txt`, `package.json`, etc.) for known vulnerabilities.
**Payload 2: Container/Image Manipulation**
Response Indicating Vulnerability: The scan identifies one or more dependencies with `HIGH` or `CRITICAL` severity vulnerabilities, indicating that the project is susceptible to exploitation through its third-party libraries.
- **Test:** Use a container scanner like `Trivy` or `Anchore` to scan the Docker image used for deployment.
- **Response Indicating Vulnerability:** The scan reveals critical vulnerabilities in the base OS packages or libraries included in the image, which could be exploited at runtime.
**2. Container/Image Manipulation**
**Payload 3: CI/CD Pipeline Tampering**
Test: Use a container scanner like `Trivy` or `Anchore` to scan the Docker image used for deployment.
Response Indicating Vulnerability: The scan reveals critical vulnerabilities in the base OS packages or libraries included in the image, which could be exploited at runtime.
- **Test:** Review the CI/CD pipeline configuration (e.g., `Jenkinsfile`, `gitlab-ci.yml`) for security misconfigurations. Check for hardcoded secrets, insufficient access controls on build steps, or build scripts that pull resources from untrusted locations.
- **Response Indicating Vulnerability:** The pipeline configuration allows unauthenticated or unauthorized modifications, contains hardcoded secrets, or uses unsigned/unverified artifacts during the build process.
**3. CI/CD Pipeline Tampering**
Test: Review the CI/CD pipeline configuration (e.g., `Jenkinsfile`, `gitlab-ci.yml`) for security misconfigurations. Check for hardcoded secrets, insufficient access controls on build steps, or build scripts that pull resources from untrusted locations.
Response Indicating Vulnerability: The pipeline configuration allows unauthenticated or unauthorized modifications, contains hardcoded secrets, or uses unsigned/unverified artifacts during the build process.
### Expected Output