Supply chain vulnerabilities have increasingly become a significant concern within the software industry, often originating during the continuous integration and continuous deployment (CI/CD) stages. Build application firewalls (BAFs) are emerging as a critical solution to address these issues and secure the application development process.
Understanding Supply Chain Threats
The 2020 SolarWinds breach, which impacted approximately 18,000 organizations, highlighted the severe risks associated with supply chain attacks. This incident underscored a vulnerability in the development cycle of widely used tools. Despite this wake-up call, similar attacks continue to occur, indicating the ongoing challenge of securing the supply chain.
In March 2026, North Korean attackers targeted the Axios npm library by hijacking a maintainer’s account, subsequently releasing two malicious versions. Given Axios’s widespread use and the automated nature of its implementation, approximately 3% of users inadvertently downloaded these harmful versions, leading to the deployment of a remote access trojan through CI/CD systems.
Recent Incidents and Vulnerabilities
Simultaneously, other attacks in early 2026 targeted Aqua’s Trivy vulnerability scanner, BerriAI’s LiteLLM, and Checkmarx/kics, aiming to infiltrate the CI/CD processes of these popular tools. As an example, Mercor reported being among the thousands affected by a LiteLLM-related supply chain attack. Additionally, the European Commission suffered a loss of 300Gb of data due to an API key compromised in the Trivy incident.
These incidents emphasize the risks of integrating malicious code into CI/CD systems. Developers often unknowingly incorporate flawed or dangerous packages, as build systems automatically pull from repositories like npm or PyPI. This can include malicious versions, typo-squatted dependencies, or compromised packages.
The Role of Build Application Firewalls
Traditional scanners aim to inspect code during and after the build process, but they may fail to detect all threats. This can be due to either the deceptive appearance of malicious actions, such as unauthorized posts to GitHub, or due to unknown zero-day vulnerabilities that standard tools cannot identify.
David Pulaski, co-founder of InvisiRisk, suggests that rather than relying solely on scanning, each package entering the build process should undergo thorough inspection. InvisiRisk has developed a BAF for CI/CD environments that operates like a security guard, meticulously monitoring internal activities to prevent malicious actions.
Unlike hardened runners that only observe DNS traffic, a BAF performs deep packet inspection, identifying security breaches at a granular level. This proactive approach enables the detection of unexpected activities, thereby mitigating potential threats.
Advancements in Software Bill of Materials (SBOM)
BAFs also play a role in enhancing the quality and accuracy of Software Bill of Materials (SBOMs), which are crucial for software transparency and compliance. InvisiRisk’s TruSBOM tool guarantees comprehensive and accurate SBOMs by directly observing the software construction process, ensuring that the provenance and dependencies of all components are accurately documented and verified.
The global push for SBOMs, bolstered by regulations such as Biden’s Executive Order 14028, aims to mitigate supply chain issues by offering clearer visibility into software components. However, achieving high-quality SBOMs remains a challenge, one that InvisiRisk’s solution seeks to address by providing detailed insights into software composition and preventing unauthorized data movements.
In conclusion, as supply chain attacks continue to rise, implementing build application firewalls can significantly bolster software security by preventing the introduction of harmful code during the development process and ensuring the integrity of SBOMs.
