A practical reference implementation of a software supply chain security pipeline designed for regulated environments (Fintech, Healthcare, Enterprise).

This repository demonstrates architectural thinking around SBOM generation, artifact signing, provenance attestation, and policy-as-code governance — not a production system, but a portfolio-ready pattern.

Modern software delivery requires security to be:

• Automated — not a manual gate
• Early — shift-left, not shift-right
• Consistent — same rules across all repos
• Auditable — traceable for compliance

Most teams bolt security on as an afterthought. Ledger demonstrates how to design supply chain security into the pipeline from day one.

For detailed architecture, see docs/architecture.md.

• Fail-fast: Security issues block before build
• Parallel scanning: Multiple tools run concurrently
• Caching: Dependency caches reduce scan time
• Reproducible: Pinned tool versions
• Auditable: All findings logged and exportable

• dev — All scans, warnings only
• staging — All scans, blocks on high+
• prod — All scans, blocks on medium+, requires approval

ledger-supply-chain-security/
├── README.md
├── ARCHITECTURE_OVERVIEW.md
├── CONTRIBUTING.md
├── SECURITY.md
├── CONTEXT.md
├── PROMPT.md
├── SECURITY_GATES.md
├── PIPELINE_POLICY_MODEL.md
├── RISK_NOTES.md
├── THREAT_MODEL.md
├── docs/
│   ├── architecture.md
│   ├── diagrams/
│   │   ├── pipeline-flow.svg
│   │   └── security-gates.svg
│   └── adr/
│       ├── 0001-choose-github-actions.md
│       ├── 0002-snyk-for-vulnerability-scanning.md
│       └── 0003-semgrep-for-sast.md
├── .github/
│   ├── workflows/
│   │   ├── secure-pipeline.yml
│   │   ├── security-scan.yml
│   │   └── container-scan.yml
│   ├── ISSUE_TEMPLATE/
│   └── PULL_REQUEST_TEMPLATE.md
├── examples/
│   ├── sample-app/
│   └── policy-examples/
├── scripts/
│   ├── local-scan.sh
│   └── generate-sbom.sh
└── src/
    └── policies/
        ├── container-policy.rego
        └── deployment-policy.rego

This repository includes a sample service located at:

src/app/

The application serves as a realistic workload to exercise the pipeline end-to-end. It enables validation of:

• SAST scanning (Semgrep)
• Dependency & container scanning (Snyk)
• SBOM generation (Syft/CycloneDX)
• Image signing & attestation (Cosign/Sigstore)
• Policy-as-Code evaluation (OPA/Conftest)

The purpose of this sample app is not to act as a product service, but to provide a controlled execution surface for demonstrating a secure software supply-chain flow in a way that mirrors real enterprise environments.

• GitHub repository with Actions enabled
• Container registry (ECR, GHCR, etc.)
• Optional: Snyk token for enhanced scanning

cp -r .github/workflows/ /path/to/your-repo/.github/workflows/

# Required secrets in GitHub repository settings
CONTAINER_REGISTRY: ghcr.io/your-org
SNYK_TOKEN: (optional) your-snyk-token

Push to any branch to trigger the secure pipeline.

• Shift-left security: Catches issues before merge
• Automation: No manual security review bottleneck
• Auditability: Full trail of all security decisions
• Consistency: Same rules across all repositories

• False positives: Semgrep/Snyk may flag non-issues
• Scan time: Full security scan adds 3-8 minutes
• Tool coverage: No single tool catches everything
• Context blindness: Tools don't understand business logic

• Regulated industries (Fintech, Healthcare)
• Enterprise environments with compliance requirements
• Teams scaling beyond manual security review
• Organizations building software supply chain security

• Early-stage prototypes where speed > security
• Internal tools with no external exposure
• Environments without CI/CD capability

• OWASP CI/CD Security
• SLSA Framework
• Sigstore
• NIST SSDF

MIT License — See LICENSE for details.

Note: This repository is a practical reference implementation for portfolio and interview purposes. It demonstrates architectural patterns and engineering thinking, not production-ready code.