Shifting left on security: Securing software supply chains

This whitepaper focuses on the processes, tools, practices, and techniques that increase confidence in the software development lifecycle (SDLC) by mitigating security-risk concerns. It discusses how to improve security of continuous integration and continuous delivery (CI/CD) pipelines by introducing best practices for source code, build and packaging infrastructure, software artifacts, artifact storage and serving infrastructure, and artifact deployment.

This document is intended for readers interested in collecting fast feedback when appraising exposure to security vulnerabilities. Though the document uses as examples VM images and containers designed for Kubernetes, the principles are applicable to all software development pipelines consisting of build and deployment phases, including serverless applications and platform-as-a-service (PaaS) applications.


This whitepaper outlines the following:

  • How trust is progressively acquired through the CI/CD pipeline and used to mitigate security risks
  • Methods to protect source code from exploits
  • Techniques that increase trust during the build and packaging process
  • Automated mechanisms to increase trust in built artifacts and packaged artifacts before deployment
  • How to further establish trust through controlled-environment code deployments

To read the full whitepaper, click the button:

Download the PDF