Software Supply-Chain Security FAQ
Isn't scanning for CVEs enough? No. CVE scanning only catches known problems and floods you with findings that aren't reachable in your app. Attackers exploit the window before a CVE exists, that needs novel detection.
What's the difference between a vulnerability and malware here? A vulnerability is an accidental flaw; malware is intentionally hostile code. Both arrive through dependencies, and both need defending against.
How do bad packages actually get installed? Mostly via typosquatting, dependency confusion, or a hijacked maintainer shipping malware in a trusted package.
When does the malware run? Often at install time, before your code executes. Install scripts →
How do I stop a bad package before it lands? A registry firewall vets packages and blocks known-bad and quarantines unknowns before install.
Do I need an SBOM? Increasingly yes, for incident response and compliance. Pair it with VEX so it carries answers, not just a list of CVEs. SBOM →
Will a security vendor see my source code? They shouldn't have to. Verifi works on manifests/metadata by default; the only step that reads source runs inside your perimeter. Trust & security →