Supply chain compromises are a powerful attack vector. In cloud native deployments everything is software-defined, so there is increased risk when there are vulnerabilities in this area. If an attacker controls the supply chain, they can potentially reconfigure anything in an insecure way.
The Catalog of Supply Chain Compromises provides real-world examples that help raise awareness and provide detailed information that let's us understand attack vectors and consider how to mitigate potential risk.
There is on-going work to establish best practices in this area. The list of types of supply chain compromises in the catalog of supply chain compromises suggests some mitigation techniques for the more well understood categories.
STAG (Security Technical Advisory Group) has put work into a comprehensive software supply chain paper highlighting best practices for high and medium risk environments. Please check out the paper and corollary secure supply chain assessment document to learn more.
For information about contributing to the document or providing feedback, please refer to the README.