Supply chain security for gitops
Software supply chain security doesn’t stop at the application layer. Kusari Inspector can help secure your infrastructure-as-code, too.
Ben Cotton
July 16, 2025
When you think of your software supply chain, you probably think about the software packages that you use — your dependencies, compilers, and so on. But the software supply chain is more than just what goes into software; it's also how the software is built, shipped, and deployed. And those build, ship, and deploy steps often involve infrastructure-as-code (IaC). Modern application management includes using git to store, modify and deploy IaC. This means IaC is a critical — but often overlooked — part of software supply chain security.
Benefits of IaC
The easiest way to secure something is to not have it in the first place, but the benefits of IaC outweigh the effort to secure it. In fact, removing IaC eliminates the work necessary to secure it, but the end result will almost certainly be worse overall security.
Before IaC, there was configuration management. Configuration management made it possible for system administrators to keep even large fleets of systems consistent. By modern standards, the university's home-grown configuration management system that I used at the start of my career would be considered painful, but it beat hand-configuring each machine the way my colleagues in some other departments were doing. I could be sure that every machine under my control had the correct settings for DNS, authentication, firewall, sudo privileges, and other security-related configuration. This was all tracked in version control, so it was clear who made a change and when.
Twenty years ago, “infrastructure” was primarily physical servers. With the rise of clouds — both public and internal — infrastructure came to mean provisioned virtual hardware. Many small companies today have no hardware beyond staff laptops. This creates the need to manage and automate the infrastructure itself. IaC builds on configuration management to not just apply settings to infrastructure, but to actually create it.
Securing IaC
In many ways, IaC security looks a lot like application security. You need access control to ensure that only authorized people can make changes. Securely managing secrets is critical to preventing attacks. The tools you use have to be secure in order to use them securely.
But IaC is different, too. First of all, the “blast radius” is larger — often much larger. Whereas a vulnerable application can leak some information, a misconfigured file server or object storage bucket could leak all of your information. Both are bad, of course, but the larger the exposure, the greater the risk to your business. Depending on the kind of information that your company deals with, the financial liability could bankrupt you. It's not just security risks, either. A runaway provisioning system could result in a dramatically larger cloud bill than you were expecting.
Also consider that the term is “infrastructure as code,” not “infrastructure is code.” IaC may be treated like code, but it's primarily configuration. This may seem like just semantics, but it's a meaningful distinction. It's much easier to see issues and run tests against a piece of code than in a section of a configuration file because the configuration file requires the tooling to have an effect.
Kusari Inspector can help
Kusari Inspector isn't just for securing your applications — it’s part of a balanced security diet for your IaC as well. Kusari Inspector can find secrets that you’ve accidentally committed in plain text. It can ensure that the GitHub Workflows you use to test and deploy your IaC configuration meets best practices to prevent attack or leak. And with support for the Hashicorp Configuration Language (HCL), Kusari Inspector can uncover security concerns in the IaC configuration itself.
Software supply chain security doesn’t stop at the application layer. It also includes your infrastructure and the configuration you use to provision it. With Kusari Inspector, you can catch security concerns before they go live. Try Kusari Inspector for free today.
Like what you read? Share it with others.
.webp)
.webp)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.jpg)
Previous
No older posts
Next
No newer posts
Want to learn more about Kusari?