Understanding Supply Chain Threats with Static Analysis

With increasing rates of supply chain attacks and vulnerabilities, there is a need for greater visibility into what behaviors are present in a package’s dependencies. Each Go package has an implicit set of expected capabilities - for example, it would be unexpected for a numerical analysis package to require network access. This talk presents a CLI tool for Go that highlights privileged permissions in your package’s dependencies to prevent supply chain attacks and motivate secure coding practices within the ecosystem. It covers the problems in open source security, the concept of capability analysis, and introduces the analyzer called capslock with examples.