Shifting left on security: Securing software supply chains
Stay organized with collections
Save and categorize content based on your preferences.
This whitepaper focuses on the processes, tools, practices, and techniques that
increase confidence in the software development lifecycle (SDLC) by mitigating
security-risk concerns. It discusses how to improve security of continuous
integration and continuous delivery (CI/CD) pipelines by introducing best
practices for source code, build and packaging infrastructure, software
artifacts, artifact storage and serving infrastructure, and artifact deployment.
This document is intended for readers interested in collecting fast feedback
when appraising exposure to security vulnerabilities. Though the document uses
as examples VM images and containers designed for Kubernetes, the principles are
applicable to all software development pipelines consisting of build and
deployment phases, including serverless applications and platform-as-a-service
(PaaS) applications.
Overview
This whitepaper outlines the following:
How trust is progressively acquired through the CI/CD pipeline and used to mitigate security risks
Methods to protect source code from exploits
Techniques that increase trust during the build and packaging process
Automated mechanisms to increase trust in built artifacts and packaged artifacts before deployment
How to further establish trust through controlled-environment code deployments
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Shifting left on security: Securing software supply chains\n\nThis whitepaper focuses on the processes, tools, practices, and techniques that\nincrease confidence in the software development lifecycle (SDLC) by mitigating\nsecurity-risk concerns. It discusses how to improve security of continuous\nintegration and continuous delivery (CI/CD) pipelines by introducing best\npractices for source code, build and packaging infrastructure, software\nartifacts, artifact storage and serving infrastructure, and artifact deployment.\n\nThis document is intended for readers interested in collecting fast feedback\nwhen appraising exposure to security vulnerabilities. Though the document uses\nas examples VM images and containers designed for Kubernetes, the principles are\napplicable to all software development pipelines consisting of build and\ndeployment phases, including serverless applications and platform-as-a-service\n(PaaS) applications.\n\nOverview\n--------\n\nThis whitepaper outlines the following:\n\n- How trust is progressively acquired through the CI/CD pipeline and used to mitigate security risks\n- Methods to protect source code from exploits\n- Techniques that increase trust during the build and packaging process\n- Automated mechanisms to increase trust in built artifacts and packaged artifacts before deployment\n- How to further establish trust through controlled-environment code deployments\n\nTo read the full whitepaper, click the button:\n\n[Download the PDF](/static/files/shifting-left-on-security.pdf)"]]
