Software Supply Chain Security: What CVE Scanners Miss

The Common Vulnerabilities and Exposures (CVE) scan passes. And thankfully, no critical CVEs were found. The dashboard stays green, which means that everything looks good enough to ship. Why not? That is the default. A clean scan becomes shorthand for acceptable risk.

That is the default. A clean scan becomes shorthand for acceptable risk. Most software supply chain security failures do not start with a missing patch. They start with trust assumptions that automated scanners were never built to question.

However, some of the most damaging attacks in recent years never triggered a CVE alert at all. In the SolarWinds attack, malicious code was injected into the build pipeline and shipped as a trusted update, without any CVE to flag it.

Compromised packages, malicious maintainer updates, and poisoned build pipelines often operate outside vulnerability databases. Your scanner isn’t designed to see them.

So now, let me ask you a difficult question. If your pipeline only measures known vulnerabilities, how confident are you about the software you actually trust to build and ship your product?

Why do teams rely on CVE scanning for supply chain security?

Security teams didn’t adopt CVE scanning for software supply chains by accident. It solved a real operational problem. Modern applications depend on thousands of external packages.

Every service, framework, SDK, and build tool pulls in layers of dependencies that change constantly. Tracking vulnerabilities across that graph manually is impossible, which is where CVE databases and automated scanners became essential.

Several practical advantages pushed CVE scanning into the center of supply chain security workflows.

• CVE databases scale across large dependency graphs: scanners can compare thousands of dependencies against vulnerability records in seconds and identify affected packages automatically.
• The data source is standardized and widely accepted: CVE identifiers provide a common reference that vendors, scanners, and security teams can all understand and track.
• Automated scanners fit naturally into CI/CD pipelines: every commit or build can trigger a dependency check without slowing down development workflows.
• The output is measurable and repeatable: security teams can track vulnerability counts, severity levels, and remediation progress across releases.
• It creates clear policy gates in pipelines: builds can fail automatically if a critical CVE appears in a dependency, which makes enforcement straightforward.
• Compliance frameworks recognize CVE tracking as evidence of vulnerability management: audit teams can easily map scan results to vulnerability management controls.

Over time, this created a simple operational signal inside development pipelines. If a dependency scan reports no critical CVEs, the release moves forward. A green report becomes shorthand for acceptable risk.

The problem is that CVE scanning was designed to track published vulnerabilities in known software components. It was never designed to model how modern software supply chains actually behave.

Where software chain risk enters, and why scanners don’t see it?

Dependency scanners answer one narrow question: Does a component contain a known vulnerability?

Supply chain risk enters your system through something very different. It comes from the trust relationships you build, which depend on every day process. Those trust assumptions exist across dependencies, build systems, update mechanisms, and distribution pipelines. Most of them are never evaluated by vulnerability scanners.

Transitive dependencies your team never reviewed

Your team usually approves the libraries added directly to the codebase. But those libraries bring their own dependencies, and those packages pull in additional code, executables, and runtime components your team never reviewed.

A single framework can introduce dozens of additional components into the runtime without any direct decision from your team.

• Many transitive packages never appear in code review.
• Maintainers of upstream libraries control which packages get introduced.
• Changes in upstream dependency trees can alter what your application executes.

Your system ends up running code that no one on your team explicitly evaluated.

Implicit trust in build systems and CI/CD pipelines

Build systems sit in the middle of the software supply chain. They assemble code, fetch dependencies, run scripts, and produce deployable artifacts. Those systems have significant control over what eventually ships.

• CI jobs can fetch external scripts or packages during builds.
• Build plugins and automation tools that run with high privileges.
• A compromised pipeline can inject changes into otherwise clean code.

When attackers gain access to build infrastructure, they can alter artifacts without modifying the source code that developers review.

Update, signing, and distribution mechanisms

Modern development workflows rely on automated updates and distribution channels to move software quickly. That convenience also introduces risk.

• Package registries allow maintainers to publish new versions that downstream systems automatically pull.
• Signing keys or maintainer accounts can be compromised.
• Automated update mechanisms propagate changes across environments quickly.

If a malicious update enters the ecosystem, it can spread through normal update workflows before anyone notices.

Code provenance and integrity risks

Teams often assume the code retrieved from registries and repositories is authentic and unchanged. That assumption depends on a chain of controls working correctly, such as:

• Repository access controls
• Maintainer permissions
• Artifact signing
• Registry integrity protections

If any part of that chain fails, untrusted code can enter the pipeline while still appearing legitimate.

Behavioral changes that bypass CVE detection

Software behavior can change significantly without introducing a vulnerability that receives a CVE. A new dependency version might:

• Add background network calls
• Introduce new runtime components
• Expand permissions or access patterns
• Modify authentication or data handling logic

None of these changes necessarily triggers a vulnerability disclosure, yet they can alter the security posture of the application.

When scanners report no critical vulnerabilities, pipelines pass, and dashboards turn green. That signal is easy to interpret: the release appears safe.

The problem is that scanners only confirm the absence of known vulnerabilities in the components they analyze. They do not evaluate whether the software entering the build process should be trusted, how dependencies arrived in the environment, or whether the supply chain itself has been manipulated.

What CVE scanners cover and miss?

CVE scanners check whether your dependencies contain known, published vulnerabilities. They do not check whether those dependencies can be trusted, whether your build pipeline has been tampered with, or whether a package update has introduced malicious behavior, none of which generates a CVE.

Here is what falls on each side of that boundary.

What CVE scanners cover

When a vulnerability is publicly disclosed and tied to a specific component version, CVE scanners provide strong operational value.

• Known vulnerabilities in third-party dependencies. Scanners map packages and versions in your application to published CVE records.
• Severity classification and prioritization. Security teams can rank findings based on CVSS scores and focus on critical issues first.
• Automated checks across repositories and pipelines. Scans can run during builds or pull requests, ensuring new dependencies are evaluated automatically.
• Measurable vulnerability management. Teams can track remediation timelines, vulnerability counts, and patch adoption across releases.
• Audit and compliance evidence. Scan results provide traceable proof that known vulnerabilities are being monitored and addressed.

CVE scanners are highly effective when the risk is a documented vulnerability in a known component.

What CVE scanners miss

Supply chain attacks often enter systems through mechanisms that do not generate a vulnerability record at the time of compromise. Because scanners rely on published CVE databases, they cannot detect issues that originate outside that model.

Common blind spots include:

• Compromised build pipelines or build infrastructure.
• Malicious package updates introduced by maintainers or attackers.
• Tampered scripts or tools used inside CI/CD environments.
• Changes in dependency behavior that alter application risk without introducing a vulnerability.
• Trust failures in package distribution or artifact repositories.

Several widely known incidents illustrate these limitations:

The SolarWinds Orion compromise (2020)

The SolarWinds Orion supply chain attack showed how attackers can compromise software during the build process itself. In this case, adversaries gained access to SolarWinds’ build environment and inserted malicious code into legitimate Orion software updates. The compromised binaries were then digitally signed and distributed to customers through the official update channel.

From the perspective of dependency scanners, nothing appeared unusual. The software packages involved did not contain a known vulnerability listed in a CVE database. The malicious behavior originated from code that had been injected into the build process rather than from a vulnerable dependency.

The Codecov Bash uploader breach (2021)

A similar blind spot appeared during the Codecov supply chain attack. Attackers modified Codecov’s Bash uploader script, which many organizations executed as part of their CI pipelines. The altered script quietly exfiltrated environment variables and credentials from affected environments.

Again, no vulnerable dependency existed for a scanner to detect. The compromise occurred in a trusted script used during the build stage, and not in a package version associated with a CVE.

The event-stream npm compromise (2018)

The event-stream npm compromise demonstrated another pathway. The widely used event-stream package was transferred to a new maintainer who introduced a malicious dependency targeting cryptocurrency wallets. The malicious behavior was embedded in a package update distributed through the normal npm ecosystem.

When the package was published, no vulnerability record existed. Dependency scanners saw a legitimate package version and reported no issues.

The gap between vulnerability detection and supply chain trust

These incidents highlight a structural limitation rather than a tooling failure. CVE scanners are designed to detect known vulnerabilities in components, but they are not designed to model how software enters your environment, how trust is established across the supply chain, or whether a trusted dependency has been compromised.

That gap is where software supply chain security actually begins. The scanner confirms that no known flaws appear in the dependencies it analyzed. It does not confirm that the software entering the build and release process is trustworthy.

A practical software supply chain security audit for engineering teams

If CVE scanning only covers a narrow slice of supply chain risk, how should teams evaluate the rest of the exposure? Auditing software supply chain risk requires examining four areas: your full dependency tree, build and pipeline access, update controls, and how trust decisions get made during architecture design.

The following approach gives security and engineering teams a repeatable way to audit those areas.

Step 1: Map every dependency your application runs on

Most teams only see the dependencies they add directly to a project. The actual trust surface is much larger because every library introduces additional components.  Start by generating a complete dependency tree, including transitive packages. This reveals the full set of code that will execute inside the application environment.

Once the tree is visible, examine how those dependencies interact with the system:

• Identify packages that interact with external services or process external input.
• Flag components that run with elevated privileges or access sensitive data.
• Note dependencies that fetch additional resources or plugins during runtime or build stages.
• Identify packages that update automatically or resolve versions dynamically during builds.

The goal is to understand which parts of the dependency graph carry the most trust risk.

Step 2: Audit who can modify your CI/CD pipeline

The build pipeline is where source code turns into deployable software. Any system that can modify builds, scripts, or artifacts effectively participates in the supply chain. Start by documenting who and what can influence the build process.

Key areas to review include:

• Access to CI/CD configuration and build scripts
• Permissions to modify pipeline templates or automation workflows
• Systems that store or distribute build artifacts
• Accounts with write access to package registries or internal repositories

Technical controls should also enforce artifact integrity:

• Verify that artifacts are signed and signatures are validated before deployment.
• Enforce checksum validation for downloaded dependencies.
• Restrict write access to build infrastructure and artifact repositories.

This review ensures that only trusted systems and identities can influence what ultimately ships.

Step 3: Review update and release controls

Dependency updates often enter production through automated workflows designed to keep software current. Without clear controls, those workflows can introduce risk without visibility.

Establish clear rules for how dependencies move through environments:

• Define how new dependencies are approved and version-pinned.
• Disable silent or automatic updates along production deployment paths.
• Require dependency upgrades to pass through testing and review stages.

Operational visibility also matters. Dependency changes should be treated as security-relevant events.

• Log when dependencies change, or new packages are introduced.
• Monitor version changes in critical libraries.
• Alert when unexpected updates occur during build or deployment.

This approach helps teams detect supply chain changes early instead of discovering them during incident response.

Step 4: Make supply chain questions part of every design review

Many supply chain risks originate long before code reaches production. They appear during architecture decisions about which frameworks, services, or third-party components to trust. Those choices should receive the same scrutiny as other security-sensitive design decisions.

During architecture planning and threat modeling sessions:

• Require reviews when introducing new dependencies or external integrations.
• Document the trust assumptions behind those components.
• Evaluate how the component is maintained, updated, and distributed.

Ask: what are we implicitly trusting here?

When teams consistently ask that question during design reviews, they begin identifying supply chain risks before those risks reach the build pipeline.

How do you build software supply chain security into your engineering workflow?

There are four moments in the engineering lifecycle when supply chain trust should always be reviewed: adding a new dependency, upgrading a major version, modifying a CI/CD pipeline, and running a quarterly audit of critical systems.

This is not to create additional meetings or paperwork, but to connect supply chain security to moments where trust already changes.

Trigger 1: Every new dependency introduction

Adding a new dependency expands the system’s trust boundary. That component will execute inside the application environment and may gain access to sensitive data, network paths, or system resources.

Before approving a new dependency, review:

• Maintainer activity and project health
• Release cadence and update history
• Required permissions or system access
• What part of the system will the dependency interact with

Teams should also document why the dependency is needed and what it will be trusted with inside the application.

Run this check during pull request review or architecture design discussions. The code owner for the service leads,  for high-impact systems, loops in a security reviewer before the dependency gets merged.

Trigger 2: Every major version upgrade

Major version upgrades often introduce behavioral changes that affect how software operates. Even when the upgrade fixes vulnerabilities or adds features, it can alter the attack surface or system behavior.

Before promoting a new major version:

• Review changelogs for functional or behavioral changes
• Validate integrity through signatures or checksums where available
• Reassess the component’s permissions and exposed interfaces

These checks help confirm that the new version behaves as expected before it reaches production.

Trigger 3: Build pipeline or CI/CD modification

Build pipelines control how software artifacts are produced and distributed. Changes to CI/CD workflows can introduce new trust relationships or expand permissions in the build environment.

Whenever pipeline configurations change, review:

• Artifact signing and verification mechanisms
• Access controls to build infrastructure
• Permissions to modify pipeline configuration or deployment workflows

This ensures that the systems responsible for assembling software cannot be modified without oversight.

Trigger 4: Quarterly trust review of critical systems

Even stable systems accumulate risk over time as dependencies grow, integrations expand, and infrastructure evolves. A scheduled trust review helps teams reassess the overall supply chain exposure of critical services.

During these reviews:

• Regenerate dependency trees to identify new transitive components
• Review dependency sprawl across the application
• Confirm that critical dependencies remain version-pinned
• Audit privileged integrations with external systems or services
  

Supply chain security becomes resilient when it is tied directly to engineering events such as dependency changes, pipeline updates, and release cycles. When those moments have clear owners responsible for reviewing trust assumptions, security moves from occasional audits to continuous practice inside the development lifecycle.

Frequently Asked Questions (FAQs) about software supply chain security gaps

Got more questions about software supply chain security? We’ve got you covered

Q1. Why isn’t CVE scanning enough to secure the software supply chain?

CVE scanning detects known vulnerabilities in published components. It does not evaluate how software enters your environment, whether a dependency can be trusted, or whether your build pipeline has been tampered with. Most real supply chain attacks – compromised maintainers, poisoned build pipelines, malicious package updates happen before a CVE exists. A clean scan confirms no known flaws were found. It does not confirm that the software in your pipeline is trustworthy.

Q2. What types of supply chain risks bypass vulnerability scanners?

Scanners rely on published databases; anything outside them passes undetected. Common blind spots include compromised maintainers publishing malicious updates, dependency confusion attacks targeting internal package names, tampered build scripts or CI/CD automation, code injection during the build process, and dependency updates that change behavior without introducing a vulnerability. Each of these affects how software enters the pipeline, not whether a known flaw exists in a component.

Q3. Does an SBOM solve software supply chain risk?

An SBOM improves visibility into what components exist in your application. It does not evaluate whether those components can be trusted, detect compromised packages, or verify build integrity. An SBOM is an inventory. Supply chain security requires additional controls around dependency approval, artifact integrity, and build infrastructure.

Q4. How do attackers compromise software supply chains?

Attackers target the infrastructure that builds or distributes software rather than the application itself. Common entry points are build servers and CI/CD pipelines, package registries, maintainer accounts for open source projects, and artifact repositories. Once inside, attackers insert malicious code into legitimate builds or updates. Downstream systems consume that software through normal delivery processes.

Q5. When should teams review supply chain security risks?

Reviews are most effective when tied to engineering events that change trust — introducing a new dependency, upgrading a major version, modifying CI/CD pipelines, or integrating new third-party services. Many teams also run quarterly reviews of critical systems to regenerate dependency trees and confirm update policies remain enforced.

Q6. What is the first step to improving supply chain security?

Map how software enters and moves through your environment. Generate full dependency trees, document CI/CD permissions, identify artifact storage and distribution paths, and review how dependencies are approved and updated. Once those trust relationships are visible, start tightening controls around the points where external code enters the system.

What the next phase of software supply chain security looks like 

Automated scanners will remain part of modern supply chain security. They help teams detect known vulnerabilities across large dependency graphs and keep basic checks running inside CI/CD pipelines. That capability still matters as applications continue to depend on open source ecosystems and rapidly evolving dependencies.

The real change happens when teams recognize where scanner visibility ends. Software supply chain security risk increasingly enters through trust relationships across dependencies, build systems, and update mechanisms. Once that becomes clear, the question stops being “Did the scan pass?” and becomes “What are we trusting every time we ship software?”

The organizations that answer that question consistently tend to make better security decisions.  Hence, it’s only wise to treat supply chain security as an engineering discipline tied to design reviews, dependency choices, and build integrity, rather than just another automated check in the pipeline. The next phase of supply chain security is not more scanning. It is understanding what your organization is trusting every time it ships software.

Want to operationalize software supply chain risk beyond vulnerability scans? Explore GRC frameworks and tools that help organizations manage governance, risk, compliance, and security oversight at scale.