Development Environment

The main advice regarding security of supply chain have long been to keep dependencies up to date. Either by running regular audits with designated package manager. Or using something like Dependabot.

Given the growing malware trend in packages on npm and other registries, it is time we start treating dependencies as potentially dangerous. Developers are the target for much of this.

A recent version of pnpm have implemented some supply-chain protection to lower the risk of npm based malware infections.

Another precaution to limit the impact of such attacks is to use sandboxed development environments. One solution is to use a cloud development environment (CDE), such as: GitHub Codespaces, Google Cloud Workstations and AWS Cloud9. Another is to run your own virtual machine for development.

Using isolated development environments are also an advised safety precaution for agentic coding.

Using custom virtual machines for development environments is an option for organizations that already have the necessary infrastructure, and want tight control of costs.

Our recommendation is, that the organization create a VM template per tech-stack.

You need to be able to push commits from your sandboxed development environment. We recommend setting up branch protection to force review of all code changes before merging into the main branch.

On GitHub, we recommend using fine-grained personal access tokens. The principle of least privilege should be followed when creating tokens. They should be scoped to only the necessary repository. In addition, tokens can be created with a short expiration, although can create some inconvenience.

Developers should not be allowed to publish artifacts themselves. This should only be allowed from a protected CI/CD environment.

Some of the aforementioned supply-chain malware spread by exploiting the CI/CD pipeline. If you or your organization is maintainer of open source packages, then it might be a good idea to have a security conscious person review the CI/CD pipeline. Avoid running untrusted code as part of the pipeline. Because that could cause unauthorized exposure of access tokens.