Supply Chain Security Platform

Beyond Vulnerability Scanning

Spyda 2.0 extends TrustScore with comprehensive supply chain security: SLSA provenance tracking, in-toto attestation verification, and policy-based governance.

Platform Overview
Unified supply chain security and vulnerability intelligence

Traditional AppSec tools focus on what vulnerabilities exist. Spyda TrustScore now answers: "How did this software get here, and can we trust the journey?"

Traditional TrustScore (70%)

  • • Vulnerability findings
  • • Exploitability analysis
  • • Compliance checks
  • • AI risk detection

NEWSupply Chain (30%)

  • • SLSA provenance (L0-L4)
  • • Cryptographic verification
  • • Builder reputation
  • • Material trust scoring
Predicate Normalization

Ingests SLSA provenance, in-toto Links, SPDX/CycloneDX SBOMs, VEX, and SARIF into a unified model.

Format-agnostic
Attestation Verification

Verifies cosign, Sigstore, and custom signatures. Correlates attestations with GitHub dependency graphs.

Cryptographic trust
Policy Engine

YAML-based policies with CEL expressions. Block deployments on SLSA L0, unsigned artifacts, or blocked materials.

Org-wide control
SLSA Level Scoring
Supply-chain Levels for Software Artifacts (SLSA) compliance
SLSA L4Score: 100

Hermetic, reproducible builds with complete provenance and two-person review

SLSA L3Score: 90

Hardened build platform with non-falsifiable provenance

SLSA L2Score: 70

Build service generated provenance with documented completeness

SLSA L1Score: 50

Provenance exists and is verifiable

SLSA L0Score: 0

No provenance available

Integration with Spyda TrustScore
How supply chain security enhances vulnerability analysis

Attestation ↔ Finding Correlation

Findings are automatically linked to provenance attestations. Vulnerabilities in unsigned artifacts receive higher confidence scores, while SLSA L4 packages with critical issues are flagged for immediate review.

Weighted Composite Score

Final TrustScore = (Base Vulnerability Score × 0.7) + (Supply Chain Score × 0.3)

Policy-Based Gating

Org-wide policies can block deployments based on SLSA level, unsigned artifacts, untrusted builders, or blocked materials.

Why This Matters

The SolarWinds, Codecov, and 3CX supply chain attacks all shared a common weakness: attackers injected malicious code into trusted build pipelines, and traditional security tools missed it because they only scanned the final artifact.

Spyda's Supply Chain Security Platform closes this gap by tracking how software was built, not just what it contains. By combining vulnerability scanning with provenance verification, you get a complete picture of software trustworthiness.