> For the complete documentation index, see [llms.txt](https://docs.sola.security/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.sola.security/resources/prompt-library/supply-chain-security.md).

# Sola for Supply Chain Security

Software supply chain attacks target CI/CD pipelines, source repositories, and third-party dependencies. The risk sits at the intersection of developer tooling and cloud infrastructure.

Sola connects GitHub, CI/CD systems, cloud environments, and identity data to surface supply chain risks including exposed secrets, overprivileged pipeline tokens, and insecure workflow configurations.

This page explains the key concepts behind **CI/CD** and **supply chain security**, what it is, why it matters, and how Sola helps you identify risks.

## What is CI/CD and Supply Chain Security?

CI/CD security focuses on protecting the build and deployment pipeline from code commit to production release. Supply chain security extends this to cover third-party dependencies, open-source packages, and external actions that enter your codebase.

In simple terms, CI/CD and supply chain security helps answer the questions:\
\&#xNAN;***"Is my software build pipeline secure, and can I trust what's in my code?"***\
***“Am I exposed if a third-party dependency is compromised?"***

Risks addressed include:

* Secrets and credentials committed to repositories.
* CI/CD service accounts and tokens with excessive cloud or production access.
* Unpinned third-party actions from unverified publishers.
* Weak branch protection rules that allow unreviewed changes to main.
* Dependencies with known vulnerabilities or suspicious ownership changes.
* Uncontrolled access to pipeline definitions.

## Why is CI/CD and Supply Chain Security important

Software supply chain attacks have become one of the fastest-growing threat vectors.

A leaked secret, an unpinned GitHub Action, or an overprivileged pipeline token can each be the entry point for a much larger compromise. These risks live at the intersection of developer tooling and cloud infrastructure, a gap most security tools cannot bridge.

Sola connects both sides of that gap to surface supply chain risks in full context.

## CI/CD and Supply Chain Security with Sola

Sola connects GitHub, CI/CD systems, cloud environments, and identity data to surface supply chain risks that siloed tools miss.

With Sola, you can:

* **Detect** secrets and credentials committed to GitHub repositories.
* **Audit** CI/CD service accounts and tokens for excessive permissions or production access.
* **Identify** unpinned or unverified third-party actions in GitHub workflows.
* **Review** branch protection rules across your GitHub organization.
* **Surface** dependency risks including known CVEs and suspicious ownership changes.
* **Map** which identities can modify pipeline definitions without oversight.

## Prompt library examples

Browse and run these prompts directly from the Prompt library in the Sola chat interface.

<img src="/files/MLlMKRdCI1cJhQemb1Ho" alt="Prompt Library" data-size="original">

<details>

<summary><strong>Unpinned Third-Party Actions</strong></summary>

{% code title="PROMPT" overflow="wrap" %}

```
Which GitHub Actions workflows use third-party actions not pinned to a specific commit SHA? Flag any actions from unverified publishers, recently transferred repositories, or accounts with a history of security issues.
```

{% endcode %}

</details>

<details>

<summary><strong>Branch Protection Gap Audit</strong></summary>

{% code title="PROMPT" overflow="wrap" %}

```
Audit branch protection rules across my GitHub organization. Which repositories allow direct pushes to main or master, have no required code reviewers, permit force-pushes, or allow certain users to bypass protections?
```

{% endcode %}

</details>

<details>

<summary><strong>Supply Chain Dependency Risk</strong></summary>

{% code title="PROMPT" overflow="wrap" %}

```
Identify packages and dependencies in my repositories with known critical CVEs, suspicious recent ownership changes, or unusual version release patterns - common indicators of dependency confusion or typosquatting attacks.
```

{% endcode %}

</details>

<details>

<summary><strong>CI/CD Access Footprint</strong></summary>

{% code title="PROMPT" overflow="wrap" %}

```
Map which identities, human and machine, have permission to modify CI/CD pipeline definitions. Flag cases where developers can edit their own pipelines without a second approver, or where pipeline changes bypass the standard code review process.
```

{% endcode %}

</details>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sola.security/resources/prompt-library/supply-chain-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.