Software Supply Chain Glossary

A comprehensive collection of terms, concepts, and definitions related to software supply chain management.

100+ Terms

59 Categories

Search

Browse by Letter

All A B C D E F G H I J K L M N O P Q R S T U V X Y Z

Filter by Tag

Access Control

Architecture

Attack Vectors

Authentication

Automation

Build Systems

CI/CD

Cloud

Collaboration

Compliance

Configuration

Configuration Management

Containers

Cryptography

Dependencies

DevOps

DevSecOps

Emerging Technology

Encryption

Firmware

Frameworks

Future Technology

General Concepts

Government

Hardware

Identity

Infrastructure

Infrastructure as Code

Integrity

IoT

Kubernetes

Legal

Licensing

Metrics

Open Source

Orchestration

Package Management

Performance

Pipeline Security

Project Management

Quality Assurance

Risk Management

Security

Software Composition

Software Delivery

Software Supply Chain

Standards

Supply Chain

Supply Chain Security

Technical Debt

Testing

Threats

Tools

Verification

Version Control

Vulnerabilities

Vulnerability Management

Workflow

Zero Trust

A

Artifact Repository

A specialized storage system that manages and organizes software packages, binaries, and dependencies throughout the software development lifecycle.

DevOps

CI/CD

Software Supply Chain

Security

Artifact

A file or package produced by the build process, such as an executable, container image, library, or other deployable component.

DevOps

CI/CD

General Concepts

Attestation

A digitally signed statement or evidence about software artifacts that verifies specific properties, origins, or processes related to the software supply chain, enhancing trust and transparency.

Authentication

The process of verifying the identity of a user, system, or entity attempting to access a resource, ensuring that only authorized parties can gain access to protected systems and data.

B

Build System

Software that automates the process of converting source code into executable applications, handling compilation, linking, packaging, and other build tasks.

DevOps

CI/CD

General Concepts

Business Source License (BSL)

The Business Source License (BSL) is a source-available license that allows free use with specific limitations and automatically converts to an open source license after a set time period.

C

Container Bill of Materials (CBOM)

A structured inventory that documents all components, dependencies, and configuration details within a container image, enabling enhanced visibility and security throughout the container lifecycle.

CI/CD (Continuous Integration / Continuous Deployment)

A set of practices and tools that automate the process of building, testing, and deploying software, enabling frequent and reliable software delivery.

DevOps

Automation

Tools

CI/CD Security

The practice of protecting continuous integration and continuous delivery pipelines from security threats, ensuring that automated software delivery processes don't introduce vulnerabilities into applications or infrastructure.

Infrastructure as Code

Cybersecurity and Infrastructure Security Agency (CISA)

A federal agency responsible for improving cybersecurity across government and critical infrastructure sectors, coordinating national cyber defense, and providing guidance on emerging security threats.

Security

Government

Compliance

Vulnerability Management

Code Signing

The process of digitally signing executables and software packages to verify the author's identity and ensure the code hasn't been altered or corrupted since signing.

Security

Cryptography

Integrity

Commons Clause

The Commons Clause is a license condition that restricts commercial use of software when applied to an existing open source license, creating a source-available approach.

Copyleft Licenses

Open source licenses that require derivative works to be distributed under the same or compatible license terms, ensuring that modifications remain freely available to the community.

Cryptography

The practice and study of techniques for securing communication and data through the use of mathematical algorithms, enabling confidentiality, integrity, authentication, and non-repudiation in software systems.

CycloneDX

CycloneDX is a lightweight SBOM standard designed for application security contexts and supply chain component analysis.

D

Dependency Confusion

A software supply chain attack where malicious packages with the same name as internal dependencies are published to public repositories, tricking build systems into using the malicious version.

Dependency Pinning

Dependency pinning is the practice of locking software dependencies to specific versions to ensure build reproducibility, stability, and security in the software supply chain.

Dependency

External software packages or components that a project uses or relies on to function properly.

General Concepts

Package Management

DevSecOps

An approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle, from initial development through production deployment and beyond.

DevOps Research and Assessment (DORA)

A research program that establishes metrics and benchmarks for measuring software delivery performance and organizational effectiveness in technology organizations.

E

End-of-Life Management

The systematic approach to identifying, assessing, and mitigating risks associated with software components, dependencies, and systems that have reached or are approaching end-of-life or end-of-support status.

Risk Management

Supply Chain

Vulnerability Management

Technical Debt

Compliance

Ephemeral Environments

Short-lived, isolated, and disposable development and testing environments that are automatically created and destroyed as needed to provide consistent and reproducible software testing.

F

Fuzzing

An automated software testing technique that inputs invalid, unexpected, or random data to discover security vulnerabilities, bugs, and crashes in applications.

G

Git

A distributed version control system that tracks changes in source code during software development, enabling collaborative development and maintaining a complete history of changes.

GPL License

The GNU General Public License (GPL) is a copyleft open source license that requires derivative works to be distributed under the same license terms, ensuring that software remains free and open.

H

Hardware Bill of Materials (HBOM)

A comprehensive inventory of all physical components, firmware, and embedded software that make up a hardware product, providing transparency into the hardware supply chain for security and compliance purposes.

I

Immutable Infrastructure

A model where infrastructure components are never modified after deployment; instead, they are completely replaced with new instances when changes are needed.

DevOps

Infrastructure

Security

J

Jenkins

An open-source automation server that enables the creation and management of continuous integration and continuous delivery (CI/CD) pipelines, with capabilities for securing the software development and deployment process.

Jira

A project management and issue tracking tool developed by Atlassian that helps teams plan, track, and manage software development projects, with capabilities that can be leveraged for supply chain security governance and visibility.

K

Kubernetes

An open-source container orchestration platform that automates the deployment, scaling, and management of containerized applications.

L

License Compliance

Ensuring that software usage, distribution, and modification adhere to the legal requirements and obligations specified in software licenses and agreements.

M

Multi-Factor Authentication (MFA)

A security mechanism that requires users to provide two or more verification factors to gain access to digital resources, significantly enhancing protection beyond passwords alone.

N

Non-Human Identity (NHI)

Digital identities assigned to systems, applications, services, and automated processes rather than human users, enabling secure machine-to-machine communication and access management in modern environments.

O

Open Source License

Legal agreements that govern the use, modification, and distribution of open source software, balancing creators' rights with users' freedoms.

P

Package Manager

A tool that automates the process of installing, upgrading, configuring, and removing software dependencies in a consistent manner.

General Concepts

Package Management

DevOps

Permissive Licenses

Open source licenses that impose minimal restrictions on the redistribution and use of software, allowing for incorporation into proprietary products with few requirements beyond attribution.

Policy as Code

Policy as Code is the practice of defining and managing compliance policies in code form, enabling automated enforcement, version control, and consistent application across development environments.

Provenance

Metadata that describes the origin, creation process, and supply chain journey of a software artifact, enabling verification of its authenticity and integrity.

Security

Compliance

Supply Chain Security

Q

Quantum Computing Security

The field addressing cryptographic vulnerabilities and cybersecurity challenges posed by quantum computers, focusing on post-quantum cryptography and mitigations for quantum threats to software supply chains.

Quantum Computing

A form of computing that harnesses quantum mechanical phenomena to perform calculations, potentially threatening current cryptographic systems while enabling new approaches to secure communications.

R

Reproducible Builds

A set of software development practices that create an independently-verifiable path from source code to binary, ensuring that a given source code always produces identical binary output regardless of who builds it.

DevOps

Security

Software Supply Chain

Build Systems

S

Software Bill of Materials (SBOM)

A formal, machine-readable inventory that lists all components and dependencies included in a software application, providing transparency into the software supply chain.

SCA (Software Composition Analysis)

Tools and methods for identifying, analyzing, and managing third-party and open source components within software applications to mitigate security and compliance risks.

Security

Compliance

Tools

Secrets Management

The processes, practices, and tools for securely handling sensitive information like credentials, tokens, and encryption keys throughout the software development lifecycle and across the supply chain.

Sigstore

An open-source project providing a standard way to sign, verify, and protect software artifacts without managing long-term cryptographic keys.

Security

Tools

Cryptography

Supply Chain Security

SLSA (Supply-chain Levels for Software Artifacts)

A security framework that defines graduated levels of software supply chain security, helping organizations incrementally improve their security posture.

Security

Frameworks

Supply Chain Security

Software Supply Chain

The full lifecycle and pipeline involved in developing, building, packaging, distributing, and deploying software—including dependencies, tools, infrastructure, and people.

General Concepts

Security

DevOps

Source-Available Licensing

Source-available licensing allows access to source code while restricting certain usage rights, striking a middle ground between open source and proprietary software models.

SPDX (Software Package Data Exchange)

A comprehensive overview of the Software Package Data Exchange (SPDX) standard, its importance in the software supply chain, and how it enables license compliance and security.

Server Side Public License (SSPL)

The Server Side Public License (SSPL) is a source-available license created by MongoDB that requires service providers to release the complete source code of applications built on SSPL-licensed software.

Supply Chain Attack

A cyberattack that targets the less-secure elements in the software supply chain to compromise the intended target.

Security

Attack Vectors

Threats

T

Transitive Dependency

A dependency that is not directly imported by a project but is required by one of the project's direct dependencies.

General Concepts

Package Management

Security

Typosquatting

A software supply chain attack where malicious packages with names similar to popular dependencies are published, exploiting common typing errors to trick developers into installing them.

U

Upstream Dependencies

External code packages, libraries, frameworks, and services that software projects rely on but don't directly control, representing a critical aspect of software supply chain security and risk management.

V

Vulnerability Management

The cyclical process of identifying, evaluating, treating, and reporting security vulnerabilities across an organization's software, systems, and networks.

Security

Risk Management

DevSecOps

X

XCCDF (Extensible Configuration Checklist Description Format)

A standardized XML-based specification language for writing security checklists, benchmarks, and related documents that enable automated vulnerability management and security compliance testing.

Compliance

Security

Standards

Configuration Management

Y

YAML Security

The principles, practices, and vulnerabilities associated with YAML configuration files that affect software supply chain security, particularly in cloud-native and DevOps environments.

Configuration

DevOps

Security

Infrastructure as Code

CI/CD

Z

Zero Trust Security

A security model that eliminates implicit trust by requiring continuous verification of every user, device, and connection before granting access to resources, regardless of location.

Security

Access Control

Architecture