Today, we’re excited to announce the open-source release of SupplyShield, an application security orchestration framework designed to secure software supply chains end-to-end. SupplyShield addresses the critical gap between running security scanners and actually operationalizing their results at scale.

# The Problem We’re Solving

Supply chain attacks are exploding. Recent statistics paint a concerning picture:

• 97% of organizations reported being impacted by supply chain attacks last year [1]
• The average direct cost per incident is nearly $5 million [2]
• 84% of codebases contain at least one vulnerable package [3]
• 72% of security teams say supply chain security is their biggest blind spot [4]
• Even now, 13% of Log4j downloads are still vulnerable [3]

The challenge isn’t just detecting vulnerabilities - it’s making sense of them at scale. When you’re responsible for securing hundreds of microservices, traditional standalone scanners fall short. They don’t scale, provide no visibility into historical scans, offer no instant results, lack tracking capabilities, and most importantly, developers never get clear, actionable items.

# What is SupplyShield?

SupplyShield is an open-source Application Security Orchestration Framework that sits on top of scanners you already love—SBOM generators, SCA tools, SAST scanners—and ties everything together into a cohesive, scalable system.

## Key Capabilities

🔍 End-to-End Visibility

• Automated SBOM generation using cdxgen with support for multiple package managers (Java, Python, Node.js, Go, and more)
• Docker image-based scanning with Syft
• Live queryable inventory of all packages across your infrastructure
• Both source code and container image scanning

🎯 Developer-Friendly Action Items

• Automatically identifies secure package versions for upgrades
• Prioritizes vulnerabilities using EPSS (Exploit Prediction Scoring System) with automated score updates and package-level prioritization
• Segregates base image vulnerabilities from application-layer issues
• Enhanced transitive dependency tracking with improved detection and visualization of how vulnerabilities are introduced through transitive dependencies
• Graph-based commons package segregation that automatically identifies and separates organization commons packages from developer-owned code

🔗 Seamless Integrations

• GitHub integration with automated issue creation and updates for actionable security findings
• CI/CD pipeline integration via message queues (SQS)
• Jira integration support
• Multi-environment support to track and manage security findings across dev, staging, and production environments

📊 Historical Tracking & Accountability

• Build comparison to track vulnerabilities and package changes between different builds over time
• Repository management with comprehensive filtering and statistics
• Clear ownership assignment (SRE vs developers)
• Developer-focused dashboards with improved filtering, statistics, and actionable package prioritization

# Tech Stack

SupplyShield is built with open-source, community-trusted tools:

• 🐍 Python 3.10+ - Core framework
• 🌶️ Flask - Web interface
• 🐘 PostgreSQL - Data storage
• 🐳 Docker & Docker Compose - Fully containerized deployment
• cdxgen - SBOM generation
• ScanCode.io - SCA pipeline
• OSV - Vulnerability database
• Semgrep - SAST scanning
• PurlDB - Package metadata
• Syft - Docker image SBOM generation

# Presentations

SupplyShield has been presented at several major security conferences:

• Nullcon Goa 2025 - “Securing the Chains: Building defensive layers for software supply chains”
• BlackHat Arsenal Asia 2025 (Singapore) - “SupplyShield: Protecting your software supply chain” - Slides
• BlackHat Arsenal Europe 2025 (London) - “SupplyShield: Protecting your software supply chain”

These presentations covered the motivation behind building SupplyShield, the problems we solved, architecture decisions, and live demonstrations of the framework in action.

# Getting Started

SupplyShield is available on GitHub: github.com/supplyshield/supplyshield

## Quick Start

1
2
3
4
5
6
7
8
9

# Clone the repository
git clone --recurse-submodules https://github.com/supplyshield/supplyshield/
cd supplyshield

# Configure environment variables (see README for details)
# Create docker.env file with required configuration

# Start all services
sudo docker compose up -d

The framework includes comprehensive documentation, setup guides, and usage examples. Check out the README for detailed installation and configuration instructions.

# Connect & Contribute

We’d love to hear from you! Whether you’re using SupplyShield, contributing improvements, or have questions:

• GitHub: github.com/supplyshield/supplyshield
• Documentation: Check the README and docs in the repository
• Issues: Report bugs or request features on GitHub Issues
• Contributions: Pull requests are welcome!

Supply chain security is a community problem, and we believe it requires community solutions. We’re excited to see how the security community uses, extends, and improves SupplyShield.

# References

1. 91% of organizations faced a software supply chain attack last year - Security Magazine
2. Learning from the mistakes of others: A retrospective review - Supply chain attacks - ICO Research Reports
3. State of the Software Supply Chain - 2024 10-Year Look - Sonatype
4. Software Supply Chain Security by the Numbers: 30 Key Stats That Matter - ReversingLabs

SupplyShield is under active development.