Evidence Stores for Supply Chain Security

Pavel — Fri, 20 Mar 2026 22:33:07 +0000

Supply chain security is currently Top 3 on OWASP 2025 Top 10 list. There is growing acknowledgement in the industry that supply chain security becomes is increasingly important and growing number of cyber attacks now involve supply chain compromises as at least one of the vectors.

With that the question how to protect one's supply chain becomes highly visible.

2020 Mindset Still Present

A lot of tooling is still stuck in the pre-Log4Shell times, when you would point a scanner to source code repository and take results every 6 months, or if you're prudent, every 3 months.

But what such results actually represent? How do they correlate to the actual product version that you or your clients are currently running. If there is a customer still running a version released 12 months ago, would it be of any help to them to know that the most recent scan over most recent state over the source code repository came out clean?

Tooling Evolution

Modern times require modern tools. Tools like ReARM that support modern standards such as emerging Transparency Exchange API are the answer.

Essentially, we're talking here about Product-Component release metadata organization model which allows to track per-release cybersecurity posture of any software or hardware product in real-time.

New findings would be recorded against particular versions of products or components thus giving clear picture of where the main risks come from.

Regulatory Pressure

New regulations such as EU CRA introduce further pressure to implement such mechanisms as quickly as possible. Per EU CRA, among other obligations, every manufacturer of Products with Digital Elements would have to maintain per-release SBOMs and other documentation and store these artifacts for prolonged period of time, typically 10 years or longer.

This puts additional need for organizations to explore and adopt tooling which can support these requirements.

Evidence Gathering Unification

Similarly, patterns like Dockerfile.sbom emerge. This allows developers to have unified way to capture supply chain evidences, such as SBOMs during CI phase of their release lifecycle.

Towards Unified Release Management System

Most building blocks are already available with modern tooling, such as ReARM. This includes also FOSS solutions, such as self-hosted ReARM CE.

With this it is possible to create a system where each build has its evidence artifacts generated at CI time, stored in the centralized evidence management platform, bundled into product releases, subjected to established approval process and then continuously evaluated against existing and new threats.

Supply Chain Security and AI Revolution

AI puts more pressure on ensuring supply chain security not less. With development speed increasing at least 10x and attackers using creating and sophisticated techniques augmented by AI it is more important than ever to have established levels of controls via signing and attestations.

Solutions like Cosign, in-toto and ShiftLeftCyber's SecureSBOM can be mentioned here.

Again, even with signatures and attestations in place, one still needs a platform to tie everything together and provide discovery mechanics. So we're establishing the following worldview for supply chain:

Ultimate Vision of Transparent and Secure Supply Chains

Each manufacturer produces a piece of software, on top of which CI system generates established set of security artifacts (SBOMs, SAST scans and others). Any dependencies used in the process should be verified against their own provided signatures and attestations. That information about dependencies is pulled from the evidence store. The results of CI including metadata, and artifacts, including signatures and attestations, are then also fed into the evidence store.

So supply chain evidence platform, like ReARM, becomes the glue that ties together different independent pieces of supply chain. Now, such evidence store or platform is not meant to be centralized store of everything. For this we have new identifiers, primarily Package-URL or PURL.

PURL is the core element that allows having decentralized system of evidence store that can be used interchangeably between various organizations. The actual mechanism how those systems communicate with each other would be Transparency-Exchange API. The future vision of which is near-instant bot-to-bot communication that is able to exchange CycloneDX fragments of data on demand.

With this every interested party is able to immediately verify the authenticity of every component in its supply chain and thus ensure integrity and security.

DEV Community: Pavel

[Boost]