From ca4950827f5af695cb9a52d08ac376c479c62699 Mon Sep 17 00:00:00 2001 From: Matteo Meucci Date: Thu, 20 Nov 2025 22:57:44 +0100 Subject: [PATCH] Update AITG-INF-01_Testing_for_Supply_Chain_Tampering.md --- ...F-01_Testing_for_Supply_Chain_Tampering.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/Document/content/tests/AITG-INF-01_Testing_for_Supply_Chain_Tampering.md b/Document/content/tests/AITG-INF-01_Testing_for_Supply_Chain_Tampering.md index bada3f0..6a70895 100644 --- a/Document/content/tests/AITG-INF-01_Testing_for_Supply_Chain_Tampering.md +++ b/Document/content/tests/AITG-INF-01_Testing_for_Supply_Chain_Tampering.md @@ -13,20 +13,21 @@ Supply Chain Tampering involves unauthorized modifications or compromises introd ### How to Test/Payloads -**Payload 1: Dependency Poisoning** +**1. Dependency Poisoning** -- **Test:** Use a Software Composition Analysis (SCA) tool like `Trivy` or `OWASP Dependency-Check` to scan the project's dependencies (`requirements.txt`, `package.json`, etc.) for known vulnerabilities. -- **Response Indicating Vulnerability:** The scan identifies one or more dependencies with `HIGH` or `CRITICAL` severity vulnerabilities, indicating that the project is susceptible to exploitation through its third-party libraries. +Test: Use a Software Composition Analysis (SCA) tool like `Trivy` or `OWASP Dependency-Check` to scan the project's dependencies (`requirements.txt`, `package.json`, etc.) for known vulnerabilities. -**Payload 2: Container/Image Manipulation** +Response Indicating Vulnerability: The scan identifies one or more dependencies with `HIGH` or `CRITICAL` severity vulnerabilities, indicating that the project is susceptible to exploitation through its third-party libraries. -- **Test:** Use a container scanner like `Trivy` or `Anchore` to scan the Docker image used for deployment. -- **Response Indicating Vulnerability:** The scan reveals critical vulnerabilities in the base OS packages or libraries included in the image, which could be exploited at runtime. +**2. Container/Image Manipulation** -**Payload 3: CI/CD Pipeline Tampering** +Test: Use a container scanner like `Trivy` or `Anchore` to scan the Docker image used for deployment. +Response Indicating Vulnerability: The scan reveals critical vulnerabilities in the base OS packages or libraries included in the image, which could be exploited at runtime. -- **Test:** Review the CI/CD pipeline configuration (e.g., `Jenkinsfile`, `gitlab-ci.yml`) for security misconfigurations. Check for hardcoded secrets, insufficient access controls on build steps, or build scripts that pull resources from untrusted locations. -- **Response Indicating Vulnerability:** The pipeline configuration allows unauthenticated or unauthorized modifications, contains hardcoded secrets, or uses unsigned/unverified artifacts during the build process. +**3. CI/CD Pipeline Tampering** + +Test: Review the CI/CD pipeline configuration (e.g., `Jenkinsfile`, `gitlab-ci.yml`) for security misconfigurations. Check for hardcoded secrets, insufficient access controls on build steps, or build scripts that pull resources from untrusted locations. +Response Indicating Vulnerability: The pipeline configuration allows unauthenticated or unauthorized modifications, contains hardcoded secrets, or uses unsigned/unverified artifacts during the build process. ### Expected Output