What Do You Depend On? When the Chain of Trusts Breaks

Most teams rely on more than just their application code to ship software. What happens when one of those tools falls victim to an attack? We recently got a demonstration with the popular security scanning tools Trivy and KICS . The attackers leveraged the compromised tooling (GitHub Actions) in a supply chain attack to harvest credentials in any consuming repo. With these additional credentials, they could expand their reach until they achieved the foothold they were looking for. I've noticed this risk is not unique to security scanners. While teams commonly consider the libraries their applications directly leverage, there is considerable surface area for what Node calls "devDependencies" or additional tooling your CI/CD pipeline pulls in during execution. This might include a test framework, formatter, or linter. Pipelines are high value targets with the secrets and systems they have access to, and teams must be more intentional about the steps they take to protect them. Just becaus