{"id":27935584,"url":"https://github.com/applicative-systems/secure-supply-chain","last_synced_at":"2025-05-07T06:49:43.649Z","repository":{"id":291453904,"uuid":"977660302","full_name":"applicative-systems/secure-supply-chain","owner":"applicative-systems","description":"Secure Software Supply Chain Demonstration with Nix","archived":false,"fork":false,"pushed_at":"2025-05-05T17:25:04.000Z","size":28,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-07T06:49:39.469Z","etag":null,"topics":["nix","nixos","software-supply-chain-security","supply-chain","supply-chain-security"],"latest_commit_sha":null,"homepage":"https://nixcademy.com","language":"Nix","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/applicative-systems.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-04T17:48:25.000Z","updated_at":"2025-05-05T17:25:08.000Z","dependencies_parsed_at":"2025-05-04T19:31:40.148Z","dependency_job_id":null,"html_url":"https://github.com/applicative-systems/secure-supply-chain","commit_stats":null,"previous_names":["applicative-systems/secure-supply-chain"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/applicative-systems%2Fsecure-supply-chain","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/applicative-systems%2Fsecure-supply-chain/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/applicative-systems%2Fsecure-supply-chain/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/applicative-systems%2Fsecure-supply-chain/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/applicative-systems","download_url":"https://codeload.github.com/applicative-systems/secure-supply-chain/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252831190,"owners_count":21810780,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["nix","nixos","software-supply-chain-security","supply-chain","supply-chain-security"],"created_at":"2025-05-07T06:49:43.044Z","updated_at":"2025-05-07T06:49:43.638Z","avatar_url":"https://github.com/applicative-systems.png","language":"Nix","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Demonstrably Secure Software Supply Chain\n\nThis repository provides a robust solution for organizations needing to prove\nthe integrity of their software supply chain.\nUsing NixOS, it demonstrates how to define a complex system image, verify that\nall source inputs are untampered, and rebuild the image offline from scratch.\nThis ensures auditable, tamper-proof software builds—ideal for regulatory\ncompliance or high-security environments.\n\n## Who Benefits?\n\n- **Developers and DevOps Teams**: Ensure reproducible, secure builds.\n- **Compliance Officers**: Provide verifiable proof for audits.\n- **Security Professionals**: Mitigate supply chain attacks with full\n  transparency.\n\n## Why This Matters\n\n- **Prove Integrity**: Guarantee that this exact set of sources produced this\n  image without third-party interference.\n- **Comprehensive Source Tracking**: Includes all application sources and\n  toolchains (e.g., compilers and their compilers) for complete transparency.\n- **Auditable Outputs**: Exports all sources (a few GB of tarballs) for\n  third-party audits, ensuring trust and accountability.\n\n## What’s Included\n\nA minimal NixOS image with realistic demo applications:\n\n- **C++ Database Writer**: Listens on a TCP port, writes input to a PostgreSQL\n  database.\n- **Rust Database Reader**: Serves database content over HTTP.\n\nThe booted ISO runs these services, showcasing a secure, reproducible build.\n\n## Key Features\n\n### Create an Offline Source-Only Closure\n\nCaptures all source tarballs, Nix expressions, and bootstrap tools needed for offline rebuilding.\n\n```console\n$ ./scripts/source-closure.sh\n```\n\nOutput: source-export.closure—a verifiable package for audits.\n\n### Rebuild Offline with Confidence\n\nReproduce the build on an offline system (e.g., via USB transfer):\n\n```console\n$ nix-store --import \u003c source-export.closure\n$ nix-build\n```\n\n### Test in an Offline Docker Environment\n\nValidate the process without a separate machine:\n\n```console\n$ docker run -it --network=none -v /path/to/repo:/src nixos/nix\n# nix-store --import \u003c /src/source-export.closure\n# nix-build /src --option substituters \"\"\n```\n\n### Flakes Support\n\nPrefer Nix flakes? Export and rebuild with:\n\n```console\n$ ./scripts/source-closure-flake.sh\n$ docker run -it --network=none -v /path/to/repo:/src nixos/nix\n# nix-store --import \u003c /src/source-export.closure\n# git config --global --add safe.directory /src\n# nix build /src -L --option substituters \"\" --extra-experimental-features \"nix-command flakes\"\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapplicative-systems%2Fsecure-supply-chain","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fapplicative-systems%2Fsecure-supply-chain","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapplicative-systems%2Fsecure-supply-chain/lists"}