Model Supply Chain Security

Protect models and inference components from tampering, dependency compromise, and untrusted artifact promotion.

Threats

• Poisoned pretrained weights or adapters

• Malicious model conversion tools or loaders

• Compromised build pipelines and registries

• Insecure runtime images with critical CVEs

Control Objectives

• Verify artifact integrity end-to-end

• Prove provenance for every promoted model

• Detect vulnerable dependencies before deploy

• Restrict execution to trusted signed artifacts

Recommended Controls

• Generate SBOMs for model-serving images and dependencies.

• Sign model artifacts and containers (Cosign/Sigstore).

• Enforce provenance attestations in CI/CD.

• Gate deployments with policy-as-code.

• Continuously scan registries for CVEs and drift.

Promotion Policy Example

A model can move to production only when:

• checksum matches signed manifest,

• provenance references approved build workflow,

• no unresolved critical vulnerabilities,

• security and platform approvals are present.

Runtime Hardening

• Run inference containers as non-root.

• Apply egress restrictions to prevent unauthorized downloads.

• Mount model volumes read-only when possible.

• Alert on unsigned artifact pull attempts.

Related Skills

• sbom-supply-chain - Generate SBOM and provenance evidence

• container-hardening - Harden runtime container posture

• model-registry-governance - Controlled lifecycle and approvals