20 QUESTIONS • 5 MINS

Where does your supply chain
security actually stand?

Answer 20 questions about your current artifact and supply chain practices. We'll place you on a six-level maturity model and show where your team is strongest, where risk remains, and what to prioritize next.

Your scores

  • Artifact storage
  • Public dependencies
  • Access control
  • Vulnerability scanning
  • Supply chain risk
  • Artifact signing

Maturity models

Maturity level 1 of 6: Level 0 — Unmanaged

0

Unmanaged

Industry benchmark: ~20% of orgs

Artifacts are produced and distributed without governance, traceability, or security controls.

Artifact Management

How you store, version, promote, and distribute binaries, packages, images, and ML models.

  • Artifact Storage & Repository Governance

    No central governance

    Artifacts are often pulled from public repositories and stored on local machines, shared drives, or ad-hoc object storage with no central governance. There is no single source of truth for what has been built or deployed.

  • Artifact Signing & Integrity Verification

    No signing or verification

    Artifacts are unsigned and there is no verification step before deployment. There is no way to detect whether an artifact has been tampered with after it was built.

  • SBOM & Provenance

    No SBOMs or provenance

    No SBOMs or provenance documents are generated. You have no machine-readable record of what components are in your software or where they came from.

  • Build Pipeline Integrity

    Local builds, no isolation

    Production builds run on developer laptops or long-running shared build servers. There is no isolation between builds, and the provenance of artifacts cannot be verified.

Supply Chain Security

Controls across your dependency graph: proxying, scanning, signing, policy management and protection against supply chain attacks.

  • Public Dependency Consumption

    Direct public internet pulls

    Builds pull dependencies directly from the public internet with no proxy, no caching, and no security policy. You have no visibility into or control over what enters your build from upstream registries.

  • Vulnerability Management

    No vulnerability scanning

    No vulnerability scanning is in place. You have no systematic way to know whether the packages in your builds or registries contain known CVEs.

  • Supply Chain Attack Protection

    No attack protection

    No protections are in place against dependency confusion, typosquatting, or package substitution attacks. Your build graph is exposed to name-based supply chain attacks.

Regulatory Alignment

Your auditability and compliance posture as it relates to visibility and governance of your supply chain.

  • License Compliance

    No license tracking

    License obligations across your dependencies are unknown. There is no process to identify or track open-source license types, creating significant legal and distribution risk.

  • Compliance Evidence & Audit Readiness

    No audit trail

    No audit trail exists for artifact operations. In the event of an audit or incident, you would have no systematic records of what was built, accessed, or deployed.

  • Incident Response

    No supply chain IR

    If a critical CVE were found in production today, your team would have no systematic way to identify which artifacts or services are affected. Response would be entirely manual and time-consuming.

Framework Readiness

How your current practices map to the specific controls, attestations, and documentation requirements of each major compliance framework.

  • SLSA

    No provenance

    Your build process does not yet produce provenance documentation. Artifacts cannot be traced cryptographically from source to registry, leaving your supply chain integrity unverifiable.

  • FedRAMP

    Insufficient controls

    Your current controls are insufficient to support a FedRAMP assessment. Foundational requirements such as vulnerability scanning, access control, and audit logging are not yet in place.

  • CRA

    Significantly underprepared

    Your current practices leave you significantly underprepared for CRA compliance. SBOM generation, component documentation, and vulnerability disclosure processes, all mandatory under the CRA, are not yet established.

  • DORA

    Significant ICT risk exposure

    Your current practices create significant ICT risk exposure under DORA. Dependency documentation, vulnerability management SLAs, and third-party oversight processes, all required under DORA, are not in place.

  • S2C2F

    Ungoverned OSS consumption

    Your open-source dependency consumption is ungoverned. You lack the inventory, scanning, and governance practices that form the baseline of the Secure Supply Chain Consumption Framework.

  • ISO 27001

    Insufficient documentation

    Your current artifact and supply chain practices lack the documentation and controls needed to support ISO 27001 certification. No systematic evidence of supplier security, vulnerability management, or access governance exists.

Chat with us to get a full assessment