Interview kitsBlog

Your dream job? Lets Git IT.
Interactive technical interview preparation platform designed for modern developers.

XGitHub

Platform

  • Categories

Resources

  • Blog
  • About the app
  • FAQ
  • Feedback

Legal

  • Privacy Policy
  • Terms of Service

© 2026 LetsGit.IT. All rights reserved.

LetsGit.IT/Categories/Security
Securityhard

What is software supply-chain risk and how do you mitigate it?

Tags
#supply-chain#dependencies#slsa
Back to categoryPractice quiz

Answer

Supply-chain risk is the chance that dependencies, build steps, or artifacts are tampered with. Mitigations include pinning versions, using SBOMs, verifying signatures, least-privilege CI, and monitoring for vulnerable dependencies.

Advanced answer

Deep dive

Supply-chain attacks target dependencies and build pipelines:

  • Risks: typosquatting, compromised packages, poisoned build steps.
  • Controls: lockfiles, provenance (SLSA), signed artifacts (Sigstore).
  • CI hardening: least-privilege tokens, isolated build runners.
  • Continuous scanning: SCA, SBOM, dependency policies.

Examples

Dependency integrity via lockfile + CI verification:

- npm ci (uses lockfile)
- verify package signatures
- fail build on critical CVEs

Common pitfalls

  • Auto-updating dependencies without review.
  • Using shared CI secrets across repos.
  • Skipping SBOMs or dependency audits.

Interview follow-ups

  • How do you respond to a compromised dependency?
  • What is SLSA level 2/3 in practice?
  • How do you ensure build reproducibility?

Related questions

Monoliths
How do you prevent cyclic dependencies between modules in a modular monolith?
#monoliths#modular-monolith#boundaries