Skip to main content
    DevOps
    Way of Working
    1. Home
    3. Capabilities
    5. Code Supply Chain Verification

    Supply Chain Verification

    Acceleration
    Phase: code
    CFR
    LT

    Quick Reference

    Phase
    code
    Epic
    Secure Code & Advanced Review
    Milestone
    Acceleration
    Target
    >= 80% dependencies verified
    Implementation Time
    Part of Secure Code & Advanced Review epic: 4 weeks (30 hours per capability avg)

    What & Why

    Definition

    >= 80% of dependencies verified using SLSA provenance, signature verification, or checksum validation.

    Business Value

    Detects security vulnerabilities 10x earlier (development vs production) and reduces critical security findings by 80% through shift-left security scanning Achieving >= 80% dependencies verified is a key milestone toward this goal.

    Context

    This capability is part of the Acceleration milestone's focus on scale automation, embed compliance, improve speed & reliability. Essential for teams targeting CFR, LT improvements.

    Success Criteria

    Target

    >= 80% dependencies verified

    Measurement

    Dependency verification rate from build logs

    Evidence

    • SLSA provenance files
    • Signature verification config
    • Checksum validation logs

    In Practice

    Real-World Implementation

    Build system verifies npm package signatures, validates checksums against lock file, checks SLSA provenance for critical dependencies.

    Concrete Example

    Dependency 'react@18.2.0' verification: npm signature valid, checksum matches package-lock.json, SLSA provenance level 2 verified.

    Implementation Guide

    Prerequisites

    SBOM Generation
    >= 80% builds generate SBOM

    Implementation Steps

    Follow the measurement approach: Dependency verification rate from build logs

    For detailed step-by-step guidance, refer to the Secure Code & Advanced Review Implementation Kit.

    Resources

    Implementation Kit

    Secure Code & Advanced Review Kit

    Templates

    Browse all templates

    Related Resources

    View learning paths

    Related Capabilities

    Prerequisites

    Implement these first

    SBOM Generation

    Complementary

    Often adopted together, from the Secure Code & Advanced Review epic

    Secure Coding Training Enforcement
    Advanced SAST Integration
    Dependency Security Policy
    Secrets Rotation Enforcement

    Troubleshooting & FAQs

    Common Issues

    Issue: Target metric not improving

    Solution: Verify measurement is accurate, check if prerequisites are fully implemented, review evidence artifacts for completeness

    Issue: Team resistance to adoption

    Solution: Start with pilot team, demonstrate value with metrics, provide training and support during transition

    Issue: Inconsistent implementation across teams

    Solution: Create shared templates and guidelines, establish regular sync meetings, use automation to enforce standards

    Frequently Asked Questions

    Can we implement this before completing prerequisites?

    While possible, it's not recommended. Prerequisites ensure foundational practices are in place, making this capability more effective and easier to adopt.

    How long does implementation typically take?

    Most capabilities can be implemented within 90 days when tackled as part of the Acceleration milestone. Individual timelines vary based on team size and existing practices.

    DevOps
    Way of Working

    DevOps practices for the entire delivery lifecycle

    © 2019-2026 devopswow.com. Created by Burhan Öcüt

    PartnersAboutPrivacyTermsCookies