Modern application supply chains extend far beyond the operating system packages included in a container image. Today, most applications also depend on large ecosystems such as NPM and PyPI, where a single deployment may pull in hundreds or thousands of transitive dependencies maintained by unknown third parties.
Minimus Supply Chain Protection helps security and platform teams reduce risk from compromised or untrusted application dependencies without disrupting existing developer workflows. Acting as a control layer between developers and public package repositories, it allows organizations to evaluate, control, and audit application dependencies before they are consumed by developers or CI/CD pipelines.
This capability was built to address a growing problem across modern software delivery pipelines: traditional vulnerability scanning and malware detection do not provide enough visibility or control over the application package ecosystem.
With Minimus Images, customers benefit from a container Image that is built directly from upstream source in the Minimus SLSA L3 build system. This approach reduces vulnerabilities in the base image by an average of 98%.
The Minimus package universe that Minimus images are based on is made up of many tens of thousands of packages. While this is significant, the patterns for building and maintaining operating system packages offer a sustainable path to assembling base images in a consistent and repeatable way.
However, there are additional package universes beyond those available through an operating system package manager, for example NPM and PyPi. While there are tens of thousands of packages in the operating system package universe, there are tens of millions of application packages in the NPM and PyPi package universes with interwoven dependencies and of varying quality.
This creates a fundamentally different security challenge than operating system package management.
Building these packages from source as we do for base images presents a challenge of scale and wouldn’t provide a meaningful security guarantee to customers. A different approach is required to scale, and to address the unique challenges posed by application package managers and the package ecosystem they provide access to.
Before we discuss the solution, it is important to understand some of the characteristics of modern application package ecosystems:
Given the characteristics above, simply scanning for malware, or building from the package source will inherently be limited in terms of coverage and efficacy, as well as limited utility.
A different approach that scales with the characteristics of the ecosystem is required to provide a real security benefit.
Minimus approaches supply chain protection through an evaluation of the metadata around packages in the NPM and PyPI application package universe. Rather than relying exclusively on malware detection or vulnerability scanning, Minimus evaluates trust and risk characteristics associated with packages and their dependency chains before they are consumed by developers or CI/CD pipelines, allowing organizations to enforce policies around which packages can be used.
With Minimus Supply Chain Protection, you can configure policies based on aspects of package metadata, such as commit activity, package popularity, use of a cooling off period, as well as explicit allow and block settings.
Minimus assembles these and other factors into a risk score with a set of defaults we believe strike the best balance between security and compatibility; however, we expose the underlying controls to customers if they wish to configure them to match their own security requirements and risk tolerance..
The protection is implemented by using Minimus as a pull through proxy for NPM and PyPi. This approach has no impact on the developer experience, but offers security and platform engineering teams the ability to control and report on the dependencies they are consuming. Customers can build multiple configurations with varying risk tolerance for environments and teams that may have different priorities related to security.
Minimus policy controls are flexible and continue to expand, you can create multiple policies for different environments and security profiles.
Minimus gives you controls that look at the characteristics of a package, allowing you to evaluate:
Of course, Minimus also allows you to explicitly allow or deny packages as well as the above controls.
The supply chain protection is also supported by Minimus Actions, allowing customers to be notified when there is a violation of policy with varying enforcement levels and severities related to the risk.
Finally, Minimus includes a full audit log of policies, enforcement actions, and package activity through the platform in a unified view, which can also be triggered and integrated with our Actions capability.
While Minimus already removes 98%+ of the vulnerabilities in your container base image, Supply Chain Protection extends security controls into the application package universe.
This is important because many of the highest-impact modern supply chain attacks originate above the operating system layer, inside application dependencies that traditional container security tooling often cannot evaluate effectively.
By combining hardened minimal images with policy-driven application dependency protection, organizations can reduce attack surface across both the operating system and application layers without introducing significant friction for developers.
See how Minimus Supply Chain Protection helps teams reduce dependency risk, enforce package trust policies, and gain visibility into application dependencies across the software delivery pipeline. Get a demo to explore the platform in more detail.
.svg)
.svg)
.svg)
.svg)
