Huntress Acquires Inside Agent: A New Era for Identity ProtectionFree Trial
Menu
InvestorsCareersBlogAboutAcademySupportContact
LoginSign up
SUPPLY CHAIN PENETRATION TESTING · CI/CD SECURITY · DEPENDENCY RISK VALIDATION

Your pipeline is the attack surface.We prove it beforethreat actors do.

Spakto's Supply Chain Penetration Testing simulates real-world supply chain attacks — from dependency poisoning and CI/CD hijacking to artifact tampering and third-party component compromise — delivering evidence-based risk findings and a clear remediation roadmap.

Request Supply Chain AssessmentSee the Methodology
Supply Chain Attack Surface

Your Pipeline Is the Attack Surface

Modern attackers target the software delivery chain — not just the application. Build pipelines, open-source dependencies, and third-party tooling are now primary breach vectors.

0%
Of Breaches involve supply chain
Gartner 2024
0%
YoY increase in OSS attacks
Sonatype 2023
0%
Orgs have no SBOM visibility
Linux Foundation
0s
Median time to exploit new CVE
After disclosure
🔗
CI/CD Pipeline Hijacking

End-to-end testing of build pipeline attack surfaces — from workflow injection to runner privilege escalation and artifact poisoning.

📦
Dependency Chain Analysis

Systematic enumeration of direct and transitive dependency attack vectors including confusion attacks, typosquatting, and malicious packages.

🔏
Artifact Integrity Testing

Validate signing controls, registry policies, and SBOM completeness — testing every point where tampered artifacts could enter your delivery pipeline.

🌐
Third-Party Component Risk

Assess risk from external GitHub Actions, shared pipeline templates, vendor SDKs, and infrastructure-as-code modules used across your build system.

CI/CD Attack Simulator

Four Pipeline Attack Chains Simulated Live

Interactive kill-chain visualizations of real CI/CD compromise scenarios — from workflow injection to artifact tampering. Select an attack and watch the exploitation unfold step by step.

S1CRITICALT1195.002CVE-2021-43710
Workflow Injection via Pull Request
Vector: CI/CD Injection
Pipeline Flow
Forked RepoAttacker PRGitHub Actionsworkflow_run triggerCI RunnerPrivileged contextRepository SecretsAWS/GCP/Azure keysCloud InfrastructureFull compromise
Source
CI/CD
Registry
Deploy
Attacker
Attack Trace
spakto-cicd-lab / s1
Click ▶ SIMULATE to run the attack trace.
4
Attack Scenarios
Simulated with full kill-chain
T1195
MITRE ATT&CK
Supply chain techniques
<60s
Credential Harvest
From log to cloud access
100%
Manual Validation
No automated scanner reliance
Supply Chain Attack Vectors

Six Attack Vectors We Test

Each vector mapped to MITRE ATT&CK, real-world incidents, and specific indicators of compromise. Click any vector for full exploitation detail.

V1CRITICALT1195.002CWE-77
Pipeline Injection (PPE)
CI/CDMalicious code injected into pipeline execution context via untrusted input — pull request
V2CRITICALT1195.001CWE-427
Dependency Confusion Attack
DependenciesAttacker registers a public package with the same name as an internal private package. Pac
V3HIGHT1195.001CWE-494
Typosquatting & Combosquatting
DependenciesRegistering package names that are visual typos or character substitutions of popular libr
V4CRITICALT1552.001CWE-312
Secrets Exposure in Artifacts
SecretsCryptographic keys, API tokens, database credentials, and cloud access keys embedded in bu
V5CRITICALT1195.002CWE-829
Compromised GitHub Action
ActionsA third-party GitHub Action used in your workflow is compromised via maintainer account ta
V6HIGHT1553.006CWE-345
Artifact Signing Bypass
IntegrityContainer images, release binaries, and build artifacts deployed to production without cry
Select a vector for full exploitation detail, real-world incident reference, and MITRE-mapped mitigations.
CRITICALPipeline Injection (PPE)
CRITICALDependency Confusion Attack
HIGHTyposquatting & Combosquatting
CRITICALSecrets Exposure in Artifacts
CRITICALCompromised GitHub Action
HIGHArtifact Signing Bypass
Dependency Risk Analyzer

Dependency Confusion & Typosquatting Lab

Live simulation showing how package managers resolve dependencies — including which malicious packages would silently win over legitimate ones in your build environment.

Package
Registry
Risk Score
Status
lodash
v4.17.21
registry
0
✓ Legitimate
lodahs
v99.0.0
registry
0
⚡ Typosquat
@internal/api-client
v2.1.0
private
0
✓ Legitimate
api-client
v2.9.0
registry
0
⚠ Confused
cross-env
v7.0.3
registry
0
✓ Legitimate
cross-env2
v1.0.0
registry
0
☠ Malicious
Select any package row to inspect its registry metadata, install scripts, and risk factors.
Risk Categories
✓ LegitimateSafe, verified package
⚠ ConfusedNamespace collision attack
⚡ TyposquatCharacter substitution attack
☠ MaliciousActive malicious payload
300K+
Malicious Packages Found
In npm/PyPI in 2023 alone
29K
Orgs Hit by Codecov
Dependency chain attack
2min
Detection Gap
Avg time malicious pkg active
100%
SBOM Coverage
We document all dependencies
Engagement Lifecycle

10-Day Structured Methodology

Six phases from scope definition to remediation delivery. Each phase produces specific, measurable deliverables with full attack chain documentation.

🎯
SCOPE
Scope & Threat Modeling
Day 1
📦
DEPS
Dependency Risk Analysis
Day 2–3
CICD
CI/CD Pipeline Exploitation
Day 3–5
🔏
ARTIFACT
Artifact & Registry Validation
Day 5–6
📋
FRAMEWORK
Framework Benchmark
Day 7
📄
REPORT
Findings & Remediation
Day 8–10
🎯
Phase 1 / 6 · SCOPE
Scope & Threat Modeling

Map every component of your software supply chain: repositories, build systems, package registries, signing infrastructure, and third-party integrations. Build an attacker-specific threat model.

Day 1
DURATION
Activities
spakto-sc/scope
Deliverables
Attack surface diagram
Threat model document
Scope confirmation matrix
Phase Output
Complete supply chain map with attacker-relevant trust boundaries
10days
Standard Engagement
6phases
Structured Lifecycle
50+tests
Per Engagement
48hSLA
Critical Notification
Framework Alignment

Benchmarked Against 4 Industry Standards

SLSA · OWASP CI/CD Top 10 · NIST SP 800-161 · CIS Supply Chain — each with specific control gap analysis and uplift roadmap.

SLSA · v1.0
SLSA
Supply chain Levels for Software Artifacts
87%
Coverage

SLSA is a security framework for software supply chain integrity. We assess your current SLSA level and provide a concrete roadmap to reach Level 3.

Control ID
Category
Coverage
Status
L1.1
Build Scripted
Build
0%
Covered
L1.2
Provenance Available
Provenance
0%
Covered
L2.1
Provenance Authenticated
Provenance
0%
Partial
L2.2
Service-Generated
Build
0%
Partial
L3.1
Hardened Builds
Isolation
0%
Gap
L3.2
Non-Falsifiable Provenance
Provenance
0%
Gap
Control Radar
L1.1L1.2L2.1L2.2L3.1L3.2
All Frameworks
SLSA
87%
OWASP
92%
NIST
71%
CIS
78%
Pipeline Coverage & Risk Findings

16 Pipeline Tools Tested. 8 Real Findings.

Every tool in your build ecosystem tested with manual exploitation techniques. Real findings with full proof-of-concept — not scanner alerts.

Pipeline & Tool Coverage
CI
GitHub Actions
GitLab CI/CD
Jenkins
CircleCI
Azure DevOps
Bitbucket Pipelines
GitOps
ArgoCD / Flux
Tekton
IaC
Terraform / Pulumi
Registry
ECR / GCR / ACR
Artifactory / Nexus
Packages
npm / PyPI / Maven
NuGet / Cargo / Go Modules
SBOM
SBOM (CycloneDX / SPDX)
Signing
Cosign / Sigstore / Notary
Container
Docker / OCI images
Risk Finding Register
Finding
Category
Impact
Severity
Unauthenticated workflow trigger on public fork
CI/CD Injection
Full pipeline + secrets compromise
CRITICAL
Private namespace collision — npm package unscoped
Dependency Confusion
Malicious code in all builds on next npm install
CRITICAL
AWS_SECRET_ACCESS_KEY in GitHub Actions log (public repo)
Secrets Exposure
Full AWS environment compromise within 60 seconds
CRITICAL
Third-party Action pinned to @v2 tag (not SHA)
Action Supply Chain
Silent backdoor on next tag update by maintainer
CRITICAL
Container images deployed without signature verification
Artifact Integrity
Tampered images in production with no detection
HIGH
Transitive dependency with RCE vulnerability (CVSS 9.8)
Dependency CVE
Remote code execution in build environment
HIGH
Terraform modules pulled from unversioned public registry
IaC Supply Chain
Infrastructure modified via compromised module update
HIGH
Pull-through registry cache allows unsigned images
Registry Security
Tampered images enter build process without validation
MEDIUM
16
Pipeline Tools Tested
CI/CD, GitOps, IaC, Registries
4
Critical Findings
Typical per engagement
CVSS v3.1
Scoring Standard
All findings scored
PoC
Exploitation Evidence
Not scanner output — real attacks
Remediation Playbook

Copy-Paste Remediation Code

Three remediation tiers from same-day critical fixes to 30-day strategic security uplift. Every action includes working code you can deploy immediately.

Rotate All Exposed CI/CD Credentialslow effort

Any secret exposed in logs, artifacts, or commits must be rotated immediately — before any other remediation step.

Disable Unauthenticated Pipeline Triggerslow effort

Close the PPE (Poisoned Pipeline Execution) window — restrict workflow_run and pull_request_target triggers to internal refs only.

Pin All Third-Party GitHub Actions to SHAmedium effort

Every unpinned action is a latent supply chain vector. Replace all @v2-style tags with full 40-character commit SHAs immediately.

Same Day
Critical — Act Now
3 remediation actions · low + low + medium effort
🔧
Within 1 Week
High Priority
3 remediation actions · medium + high + low effort
🏗️
Within 30 Days
Strategic Uplift
2 remediation actions · high + medium effort
Start Your Assessment

Your Build Pipeline Has Attack Paths

Manual supply chain penetration testing that finds what automated scanners miss — pipeline injection vectors, dependency confusion attacks, and artifact integrity gaps.

0+
Engagements Completed
Supply chain focused
0%
Finding Accuracy
Validated & reproducible
0 days
Standard Duration
Scoped to your stack
0%
Manual Testing
No scanner-only findings
Engagement Process
01
Scoping CallDay 0

30-minute technical call to map your stack and define engagement boundaries.

02
Credential SetupDay 1

Secure read-only access configuration for pipeline and registry inspection.

03
Active TestingDays 2–11

10-day structured engagement following our 6-phase supply chain methodology.

04
Report & DebriefDay 12

Findings report with exploitation evidence, CVSS scoring, and remediation code.

What We Test
🔗 CI/CD Pipelines (GitHub/GitLab/Jenkins/etc.)
📦 Dependency Registries (npm/PyPI/Maven/etc.)
🔏 Artifact Signing & Container Registries
📄 SBOM Generation & Validation
🌐 Third-Party Actions & Shared Templates
☁️ IaC Pipeline Modules (Terraform/Pulumi)
🐳 Container Build & Image Supply Chain
🔑 Signing Infrastructure (Cosign/Sigstore/Notary)
Engagements currently running — limited quarterly availability
No Scanner Reliance
Full Manual Testing
NDA Before Kickoff
SLSA-Aligned Methods
CVE-Quality PoC Evidence

Frequently Asked Questions

Frequently asked
questions.

Still have questions?
Our security engineers answer within one business day.
Ask a question