diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md index f3b0a913e77b..e513d402630d 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md @@ -21,7 +21,11 @@ topics: ## About supply chain security at GitHub -With the accelerated use of open source, most projects depend on hundreds of open-source dependencies. This poses a security problem: what if the dependencies you're using are vulnerable? You could be putting your users at risk of a supply chain attack. One of the most important things you can do to protect your supply chain is to patch your vulnerable dependencies{% ifversion GH-advisory-db-supports-malware %} and replace any malware{% endif %}. +When developing a software project, you likely use other software to build and run your application, such as open-source libraries, frameworks or other tools. These resources are collectively referred to as your “dependencies”, because your project depends on them to function properly. Your project could rely on hundreds of these dependencies, forming what is known as your "supply chain". + +Your supply chain can pose a security problem. If one of your dependencies has a known security weakness or a bug, malicious actors could exploit this vulnerability to, for example, insert malicious code ("malware"), steal sensitive data, or cause some other type of disruption to your project. This type of threat is called a "supply chain attack". Having vulnerable dependencies in your supply chain compromises the security of your own project, and you put your users at risk, too. + +One of the most important things you can do to protect your supply chain is to patch your vulnerable dependencies{% ifversion GH-advisory-db-supports-malware %} and replace any malware{% endif %}. You add dependencies directly to your supply chain when you specify them in a manifest file or a lockfile. Dependencies can also be included transitively, that is, even if you don’t specify a particular dependency, but a dependency of yours uses it, then you’re also dependent on that dependency.