Framework Insights and Automated Attestation for Software Supply Chain Security

Abstract

The escalating threat of software supply chain attacks necessitates robust security measures; however, current guidance is fragmented across numerous, often overlapping, frameworks. This thesis addresses this challenge through a dual approach. First, it conducts a systematic comparative analysis of five prominent software supply chain security frameworks - ESF, S2C2F, SCVS, SLSA, and an academic SOK taxonomy - by decomposing their 284 guidelines into 1,321 atomic, actionable statements. These statements were then thematically labeled and semantically compared to define framework scope, identify consensus areas, reveal gaps, and highlight specialized strengths. The analysis found ESF to be the most comprehensive, while S2C2F, SCVS, and SLSA offer significant depth in specific niches, such as consumption, component verification, and build integrity, respectively. This underscores that no single framework is universally optimal.

Second, this research develops and evaluates a Proof-of-Concept (PoC) system to demonstrate the feasibility of automating compliance attestation. The PoC automatically verifies a targeted subset of decomposed guidelines for selected open-source projects, embedding cryptographically signed conformance attestations - including claims, evidence, and targets - directly within a Software Bills of Materials (SBOM). A companion visualization tool enables human inspection and signature verification of these enriched SBOMs. A feasibility study confirmed the viability of this endto- end process, showcasing a practical pathway for integrating verifiable compliance into the software development lifecycle. Ultimately, this work provides a clearer map of the current guidance landscape and demonstrates a practical path to embedding verifiable compliance, advancing the automation and trustworthiness of software supply chain security.