Stop Supply Chain Breaches Before They Happen

Modern software supply chains are under siege. With over 650% increase in supply chain attacks since 2021, every dependency you pull, every third-party service you integrate, and every build artifact you ship becomes a potential attack vector. One compromised dependency can expose your entire production environment.

The Hidden Vulnerabilities in Your Stack

Your current development workflow likely includes these security gaps:

Unsigned artifacts: You're pulling Docker images and npm packages without cryptographic verification
Blind dependencies: You have no visibility into what's actually inside your third-party components
Static builds: Your CI/CD pipeline trusts whatever code exists at build time without provenance tracking
Manual security gates: Security reviews happen too late in the process, if at all
Vendor blindness: You're trusting third-party suppliers without continuous risk assessment

Each of these creates an opportunity for attackers to inject malicious code into your production systems through your trusted development processes.

End-to-End Supply Chain Protection

These Cursor Rules implement a comprehensive security framework that transforms your TypeScript applications into fortress-grade supply chain operations. You get automated security gates, cryptographic verification, and continuous monitoring built directly into your development workflow.

The rules enforce SLSA (Supply Chain Levels for Software Artifacts) compliance, generate Software Bills of Materials (SBOMs) for every release, and implement zero-trust verification throughout your entire toolchain.

Immediate Security Improvements

Cryptographically Signed Everything

Every artifact gets signed with Cosign and stored with provenance data:

// Automated in your CI/CD pipeline
cosign sign --key kms://gcp/key dist/image.tar
slsa-provenance attestation dist/image.tar

Real-Time Dependency Monitoring

Continuous vulnerability scanning catches issues before they reach production:

- run: trivy image --exit-code 1 dist/image.tar
- run: osv-scanner --lockfile package-lock.json

Zero-Trust Architecture

Every interaction requires verification with structured error handling:

type Result<T,E extends Error> = { ok:true; value:T } | { ok:false; error:E }

function registerSupplier(raw: unknown): Result<Supplier,ValidationError> {
  const parse = Supplier.safeParse(raw);
  return parse.success ? { ok:true, value:parse.data } : { ok:false, error:parse.error };
}

Transform Your Development Security Posture

Before: Vulnerable Supply Chain

Manual security reviews that happen too late
Unknown dependencies in production code
Unsigned artifacts that could be tampered with
No visibility into supplier security posture
Reactive security incident response

After: Fortress-Grade Security

Automated security gates block vulnerable code at PR time
Complete SBOM visibility for every component
Cryptographically signed and verified artifacts
Continuous supplier risk monitoring with SecurityScorecard integration
Proactive threat detection with AI-driven anomaly detection

Real Developer Workflows

Secure Dependency Management

Stop blindly trusting package registries. Pin exact versions and validate every dependency:

// src/types/dependency-validation.ts
import { z } from 'zod';

const DependencyManifest = z.object({
  name: z.string(),
  version: z.string().regex(/^\d+\.\d+\.\d+$/), // Exact version only
  integrity: z.string(),
  signatures: z.array(z.string())
});

export function validateDependency(manifest: unknown): Result<DependencyManifest, ValidationError> {
  const parse = DependencyManifest.safeParse(manifest);
  return parse.success ? { ok: true, value: parse.data } : { ok: false, error: parse.error };
}

Automated SBOM Generation

Get complete visibility into your software composition:

# .github/workflows/security-build.yml
- name: Generate SBOM
  run: |
    syft . -o spdx-json > sbom.spdx.json
    syft . -o cyclonedx-json > sbom.cyclonedx.json
    
- name: Upload SBOM to Registry
  run: |
    cosign attach sbom --sbom sbom.spdx.json ghcr.io/org/app:${{ github.sha }}

Supplier Risk Monitoring

Continuously assess your third-party vendors:

// src/domain/supplier-assessment.ts
interface SupplierScorecard {
  supplierId: string;
  securityRating: number;
  lastAssessment: Date;
  criticalVulnerabilities: number;
  complianceStatus: 'compliant' | 'non-compliant' | 'pending';
}

export class SupplierMonitor {
  async assessSupplier(supplierId: string): Promise<Result<SupplierScorecard, AssessmentError>> {
    // Integration with SecurityScorecard API
    const assessment = await this.securityScorecard.getSupplierRating(supplierId);
    
    if (assessment.securityRating < 70) {
      return { ok: false, error: new AssessmentError('Supplier below security threshold') };
    }
    
    return { ok: true, value: assessment };
  }
}

Implementation Guide

1. Set Up Your Security Foundation

Create your security configuration:

# Install security tooling
npm install --save-dev @types/node zod pino
npm install --global @cyclonedx/cli syft cosign

# Configure exact dependency pinning
npm pkg set engines.node=">=18.0.0"
npm pkg set overrides.axios="1.6.2"

2. Implement Core Security Modules

Structure your project with security isolation:

src/
├── domain/              # Pure business logic
│   ├── supplier-management.ts
│   └── risk-assessment.ts
├── adapters/           # External integrations
│   ├── security-scorecard.ts
│   └── vulnerability-scanner.ts
├── infra/              # Cloud security services
│   ├── kms-signing.ts
│   └── secret-manager.ts
└── types/              # Security contracts
    ├── supplier.ts
    └── vulnerability.ts

3. Configure Your Security Pipeline

Set up automated security gates in GitHub Actions:

# .github/workflows/security-pipeline.yml
name: Security Pipeline
on: [push, pull_request]

permissions:
  contents: read
  id-token: write
  security-events: write

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
      
      - name: Setup Node.js
        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d
        
      - name: Install dependencies
        run: npm ci --ignore-scripts
        
      - name: Run security audit
        run: npm audit --audit-level=critical
        
      - name: Generate SBOM
        run: syft . -o spdx-json > sbom.spdx.json
        
      - name: Vulnerability scan
        run: trivy fs --exit-code 1 --severity HIGH,CRITICAL .
        
      - name: Build and sign artifacts
        run: |
          npm run build
          cosign sign --key kms://gcp/projects/PROJECT/locations/LOCATION/keyRings/RING/cryptoKeys/KEY dist/

4. Enable Continuous Monitoring

Set up real-time security monitoring:

// src/adapters/security-monitor.ts
import { EventEmitter } from 'events';

export class SecurityMonitor extends EventEmitter {
  private honeytokens: Map<string, string> = new Map();
  
  constructor(private logger: Logger) {
    super();
    this.deployHoneytokens();
  }
  
  private deployHoneytokens() {
    // Deploy decoy secrets that alert when accessed
    this.honeytokens.set('fake-api-key', 'honey_123456789');
    this.honeytokens.set('fake-db-password', 'honey_password123');
  }
  
  detectAnomalies(event: SecurityEvent): void {
    if (this.honeytokens.has(event.resource)) {
      this.logger.error({
        event: 'honeytoken_access',
        resource: event.resource,
        sourceIP: event.sourceIP,
        timestamp: new Date().toISOString()
      });
      
      this.emit('security_breach', event);
    }
  }
}

Expected Results & Impact

Security Improvements

95% reduction in vulnerable dependencies reaching production
Zero unsigned artifacts in your supply chain
Complete visibility into all software components via SBOMs
Automated threat detection with sub-minute response times

Developer Productivity Gains

Shift-left security catches issues during development, not production
Automated compliance reporting reduces manual security reviews by 80%
Streamlined vendor onboarding with standardized security assessments
Faster incident response with structured logging and monitoring

Operational Benefits

Compliance-ready documentation for SOC 2, ISO 27001, and industry standards
Audit trails for every artifact and dependency decision
Risk-based supplier management with automated scorecards
Immutable security evidence stored in transparency logs

Your development team gets enterprise-grade supply chain security without sacrificing velocity. Every commit is automatically validated, every dependency is verified, and every deployment is cryptographically signed and tracked.

The rules transform your TypeScript applications into a secure-by-design system that proactively prevents supply chain attacks while maintaining the development experience your team expects.

End-to-End Supply-Chain Security Ruleset