Justin Hutchings
Director of Product Management for supply chain security. I manage the team that's behind Dependabot, the Advisory Database, and the dependency graph. Twitter: https://twitter.com/jhutchings0
Supply chain attacks exploit our implicit trust of open source to hurt developers and our customers. Read our proposal for how npm will significantly reduce supply chain attacks by signing packages with Sigstore.
As stewards of the npm registry, we take the security of npm seriously and have continued to introduce a number of changes to improve the security and trustworthiness of the registry. We’ve announced a number of changes over the last several months to improve the security of npm, like requiring two-factor authentication, streamlined login, and enhanced signing of artifacts. These changes help protect open source consumers from software supply chain attacks; in other words, when malicious users try to spread malware by breaching a maintainer’s account and adding malicious software to open source dependencies that many developers use.
Today, we’re opening a new request for comments (RFC), which discusses linking a package with its source repository and its build environment. When package maintainers opt-in to this system, consumers of their packages can have more confidence that the contents of the package match the contents of the linked repository.
Historically, linking packages back to the source code has been difficult because it required individual projects to register and manage their own cryptographic keys. A recent project from the Linux Foundation and Open Source Security Foundation (OpenSSF) called Sigstore has made this process easier and more secure than past methods by not requiring developers to manage long-lived cryptographic keys. The project has seen some early adoption with other package manager ecosystems. With today’s RFC, we are proposing to add support for end-to-end signing of npm packages using Sigstore. This process would include generating attestations about where, when, and how the package was authored, so that it can be verified later.
Securing the software supply chain is one of the biggest security challenges our industry faces right now. This proposal is an important next step, but truly solving this challenge will require commitment and investment across the community. We’re excited to hear your feedback and look forward to going on this journey together!
Learn how specially crafted artifacts can be used to attack Maven repository managers. This post describes PoC exploits that can lead to pre-auth remote code execution and poisoning of the local artifacts in Sonatype Nexus and JFrog Artifactory.
In the last few months, we secured 75+ GitHub Actions workflows in open source projects, disclosing 90+ different vulnerabilities. Out of this research we produced new support for workflows in CodeQL, empowering you to secure yours.
We are excited to introduce the new CodeQL Community Packs, a comprehensive set of queries and models designed to enhance your code analysis capabilities. These packs are tailored to augment…