Overview#
Software Supply Chain Integrity provides verifiable evidence, across web consoles, backend services, the authentication service, and the responder mobile application, that the code running in production is exactly the code that was reviewed, built, and attested.
Modern software attacks rarely break in through the front door: they arrive through a compromised dependency, a tampered build server, or a poisoned script host, long before the product reaches the people who rely on it. Agencies that run intelligence and emergency-response software are increasingly asked to prove the opposite of that scenario. The deployed authentication service and every mobile release publish signed build-provenance attestations, dependencies are pinned and audited as a condition of release, externally hosted browser assets are integrity-pinned, and platform plugins refuse to load unless their signatures verify against a hardware-anchored trust chain. It exists for security assessors, accreditation teams, and government buyers who need supply chain assurance as evidence, not as a promise.
Key Features#
- Signed Build Provenance: Every production deployment of the authentication service publishes a signed SLSA provenance attestation for the deployed bundle, and every mobile release carries a cryptographically signed attestation over the exact artefact checksum stating what was built and from what, produced by an automated tag-triggered release pipeline rather than a developer workstation, with keyless signing used where available.
- Fail-Closed Release Signing: Mobile release builds fail outright if production signing material is incomplete, at both the build-script and build-system level, so a debug-signed release is impossible on any path.
- Pinned, Audited Dependencies: Backend dependencies are hash-pinned and lockfile-verified, mobile dependencies are pinned and inventoried, and an automated pin-drift check runs as a blocking release gate on the authentication service; dependency vulnerability audits against publicly catalogued CVE identifiers are a mandatory condition of release, orphaned and unmaintained packages have been removed and locked out from returning, and automated dependency-update proposals cannot merge without an approved human review.
- Software Bills of Materials: Mobile releases publish software bills of materials, gated so that an empty or stub inventory fails the build rather than shipping silently.
- Vendor SDK Vetting: Hardware-vendor SDKs for wearables, body-worn devices, and heads-up displays must have a verified artefact checksum and their own bill of materials before any feature flag can enable them, and the pre-release sign-in security library is pinned to an exact version with a recorded vetting register, so an unvetted version bump fails the release gates.
- Signed Plugin Enforcement: Platform plugins cannot load unless their signatures verify: an unsigned manifest, an untrusted signer, or an invalid signature stops the plugin before any of its code runs, verification failures are never downgraded to warnings, and the signing trust chain is anchored in hardware security modules that fail loudly when misconfigured instead of quietly falling back to software keys. Local test signing is refused in production without an explicit, secret-gated opt-in.
- Integrity-Pinned Browser Assets: All externally hosted scripts and stylesheets carry Subresource Integrity hashes, so a compromised script host or content network cannot alter what runs in an operator's browser.
- Hardened Build and Deployment Posture: Container builds block third-party install scripts while still applying the platform's own vetted patches so shipped images match reviewed code, containers run as non-root, cloud deployments gate on pinned secret versions with least-privilege runtime tokens, the authentication service refuses to boot with weak, short, or placeholder secrets, and continuous checks ban authentication-bypass flags from deploy configuration and verify that no secret files are ever tracked in source control.
Use Cases#
- Customer Security Assessor: Verifies during a procurement review that no unreviewed dependency change, tampered build, or compromised script host can reach production, using the release gates and attestations as direct evidence.
- Accreditation and Compliance Officer: Evidences continuous dependency vulnerability management and build provenance for regulated and accredited deployments: locked dependencies, human-reviewed updates, integrity-pinned assets, and signed attestations.
- Government or Defence Buyer: Requires SLSA-style provenance and software bills of materials for mobile software, and can verify that the binary deployed to responders corresponds exactly to an attested, pipeline-built release.
- Platform Administrator: Attests that only hardware-signed plugins run inside operator workspaces, so a compromised plugin host or tampered manifest cannot execute arbitrary code in front of live operations.
Integration#
Software supply chain integrity underpins the rest of the security portfolio rather than standing alone. It complements vulnerability scanning and compliance certification evidence, feeds the same assurance posture as secrets management and encryption key management (boot-time secret strength floors and pinned secret versions), governs the plugin and extension framework through mandatory signature verification, and pairs with mobile device integrity and responder mobile security so that both the device and the software on it can be trusted. Release gating and attestation records sit alongside the platform's tamper-evident audit trail as material an assessor can independently verify.
Open Standards#
- SLSA: The deployed authentication service bundle and every mobile release publish signed SLSA build-provenance attestations recording exactly what was built and from what source.
- in-toto: Mobile release provenance uses the in-toto attestation format over the exact artefact checksum, with keyless signing where the pipeline supports it.
- W3C Subresource Integrity: Externally hosted scripts and stylesheets carry integrity hashes so the browser refuses any asset that has been tampered with in transit or at the host.
- CVE: Dependency audits resolve against the public CVE catalogue, and an unresolved finding blocks the release.
Last Reviewed: 2026-07-16 Last Updated: 2026-07-16