Supply Chain Security - CI/CD Glossary Definition
Supply chain security is the practice of protecting every step that produces and delivers software (source, dependencies, build, and distribution) against tampering. In CI/CD it covers signed commits, pinned and verified dependencies, hardened build runners, and signed, attested artifacts.
Common building blocks
An SBOM lists what is inside an artifact, signing (cosign/sigstore) proves who built it, and provenance attestations record how and where it was built. Frameworks like SLSA describe maturity levels for these controls.
In CI
Pinning actions and dependencies by digest, running builds on ephemeral runners with least-privilege credentials, and generating provenance during the build are concrete supply-chain controls a pipeline can adopt.