Supply Chain Attack Simulation

workflow:supply-chain-attack-simulation

Workflowworkflows/workflows/workflows-security-research-deep.yaml·Open in Graph →

{
  "id": "workflow:supply-chain-attack-simulation",
  "_kind": "Workflow",
  "_file": "workflows/workflows/workflows-security-research-deep.yaml",
  "_cluster": "workflows",
  "attributes": {
    "displayName": "Supply Chain Attack Simulation",
    "workflowKind": "security",
    "triggerType": "scheduled",
    "typicalCadence": "semi-annual",
    "complexity": "cross-team",
    "description": "Simulates software supply chain attack scenarios -- injecting typosquatted\npackages in internal registries, testing dependency confusion defenses,\nvalidating SLSA provenance verification, testing code-signing bypass\ndetection, evaluating CI pipeline compromise scenarios, and measuring\ntime-to-detection and response effectiveness. Produces a findings report\nwith remediation priorities. Excludes ongoing dependency scanning.\n"
  },
  "outgoingEdges": [
    {
      "from": "workflow:supply-chain-attack-simulation",
      "to": "role:security-reviewer",
      "kind": "involves_role",
      "attributes": {}
    },
    {
      "from": "workflow:supply-chain-attack-simulation",
      "to": "role:platform-engineer",
      "kind": "involves_role",
      "attributes": {}
    },
    {
      "from": "workflow:supply-chain-attack-simulation",
      "to": "role:staff-engineer",
      "kind": "involves_role",
      "attributes": {}
    },
    {
      "from": "workflow:supply-chain-attack-simulation",
      "to": "skill-area:supply-chain-security",
      "kind": "requires_skill_area",
      "attributes": {}
    },
    {
      "from": "workflow:supply-chain-attack-simulation",
      "to": "skill-area:dependency-vulnerability-mgmt",
      "kind": "requires_skill_area",
      "attributes": {}
    },
    {
      "from": "workflow:supply-chain-attack-simulation",
      "to": "domain:cybersecurity",
      "kind": "applies_to_domain",
      "attributes": {}
    },
    {
      "from": "workflow:supply-chain-attack-simulation",
      "to": "domain:security",
      "kind": "applies_to_domain",
      "attributes": {}
    },
    {
      "from": "workflow:supply-chain-attack-simulation",
      "to": "responsibility:threat-modeling",
      "kind": "triggers_responsibility",
      "attributes": {}
    },
    {
      "from": "workflow:supply-chain-attack-simulation",
      "to": "responsibility:security-review",
      "kind": "triggers_responsibility",
      "attributes": {}
    },
    {
      "from": "workflow:supply-chain-attack-simulation",
      "to": "org-unit:security-team",
      "kind": "performed_by_org_unit",
      "attributes": {}
    },
    {
      "from": "workflow:supply-chain-attack-simulation",
      "to": "org-unit:application-security-team",
      "kind": "performed_by_org_unit",
      "attributes": {}
    },
    {
      "from": "workflow:supply-chain-attack-simulation",
      "to": "org-unit:platform-team",
      "kind": "performed_by_org_unit",
      "attributes": {}
    }
  ],
  "incomingEdges": []
}

{ "id": "workflow:supply-chain-attack-simulation", "_kind": "Workflow", "_file": "workflows/workflows/workflows-security-research-deep.yaml", "_cluster": "workflows", "attributes": { "displayName": "Supply Chain Attack Simulation", "workflowKind": "security", "triggerType": "scheduled", "typicalCadence": "semi-annual", "complexity": "cross-team", "description": "Simulates software supply chain attack scenarios -- injecting typosquatted\npackages in internal registries, testing dependency confusion defenses,\nvalidating SLSA provenance verification, testing code-signing bypass\ndetection, evaluating CI pipeline compromise scenarios, and measuring\ntime-to-detection and response effectiveness. Produces a findings report\nwith remediation priorities. Excludes ongoing dependency scanning.\n" }, "outgoingEdges": [ { "from": "workflow:supply-chain-attack-simulation", "to": "role:security-reviewer", "kind": "involves_role", "attributes": {} }, { "from": "workflow:supply-chain-attack-simulation", "to": "role:platform-engineer", "kind": "involves_role", "attributes": {} }, { "from": "workflow:supply-chain-attack-simulation", "to": "role:staff-engineer", "kind": "involves_role", "attributes": {} }, { "from": "workflow:supply-chain-attack-simulation", "to": "skill-area:supply-chain-security", "kind": "requires_skill_area", "attributes": {} }, { "from": "workflow:supply-chain-attack-simulation", "to": "skill-area:dependency-vulnerability-mgmt", "kind": "requires_skill_area", "attributes": {} }, { "from": "workflow:supply-chain-attack-simulation", "to": "domain:cybersecurity", "kind": "applies_to_domain", "attributes": {} }, { "from": "workflow:supply-chain-attack-simulation", "to": "domain:security", "kind": "applies_to_domain", "attributes": {} }, { "from": "workflow:supply-chain-attack-simulation", "to": "responsibility:threat-modeling", "kind": "triggers_responsibility", "attributes": {} }, { "from": "workflow:supply-chain-attack-simulation", "to": "responsibility:security-review", "kind": "triggers_responsibility", "attributes": {} }, { "from": "workflow:supply-chain-attack-simulation", "to": "org-unit:security-team", "kind": "performed_by_org_unit", "attributes": {} }, { "from": "workflow:supply-chain-attack-simulation", "to": "org-unit:application-security-team", "kind": "performed_by_org_unit", "attributes": {} }, { "from": "workflow:supply-chain-attack-simulation", "to": "org-unit:platform-team", "kind": "performed_by_org_unit", "attributes": {} } ], "incomingEdges": [] }