Supply Chain Artifact Drill
Supply Chain Artifact Drill
本情境的責任是演練 artifact provenance 與 release gate。它以 3CX 2023 supply chain case 為來源,轉成通用軟體供應鏈 artifact drill。
Scenario Trigger
客戶回報桌面客戶端或 agent 版本觸發 EDR alert。內部比對發現公開下載 artifact、build record 與簽章證據之間存在偏移。
Initial Hypothesis
| 假設 | 驗證資料 |
|---|---|
| artifact 在 build 後被替換 | checksum、registry log、publish log |
| build environment 受影響 | CI log、runner image、credential use |
| upstream dependency 或工具引入污染 | dependency provenance、developer endpoint evidence |
Control Surface
控制面包含 artifact provenance、CI pipeline、release gate、release freeze、rollback 與 customer advisory。
Response Route
- Freeze:暫停 affected artifact 發佈與自動更新。
- Scope:比對 artifact hash、download log、customer version distribution。
- Validate:重建 clean build、驗證簽章與 provenance。
- Rollback:提供 clean artifact、uninstall 或 rollback route。
- Write-back:更新 release gate、build isolation 與 artifact evidence policy。
Evidence Target
| 證據 | 用途 |
|---|---|
| build provenance record | 判斷 artifact 是否可追溯 |
| signing log | 判斷簽章流程是否被濫用 |
| customer download log | 判斷 downstream impact |
| release freeze record | 證明風險放行被暫停 |