image/svg+xml
Source
Developer
Build
Dependencies
Package
Consumer
A
C
D
B
F
G
H
E
Source threats
Build threats
Dependency threats
A
B
Submit bad code
Compromise source control
C
Modified code after source control
D
F
Bypassed CI/CD
G
Compromised package repo
H
Using a risky package
E
Using a risky dependency
Compromised build platform
Source: https://slsa.dev/images/supply-chain-threats.svg