Supply-chain security: harden a release pipeline end to end

Take a small service (your own or a fresh create-next-app / NestJS scaffold) and harden its full supply chain — install step, registry precedence, SBOM, and signed provenance — then demonstrate each control by planting an attack it must block.

• Establish a baseline: a service with a committed lockfile, a CI workflow that builds and produces an artifact (npm package or container image), and a short written note on what is currently unprotected at the install and release steps.
• Harden the install step: switch CI to `npm ci` (never bare install), add `--ignore-scripts`, pin exact versions (no caret ranges), and enable automated dependency review (Dependabot / audit / Renovate) on every PR.
• Defend against dependency confusion: move internal packages under a scoped namespace you own publicly, configure strict private-registry precedence for that scope, and document the resolution order so a public impostor at a higher version cannot win.
• Generate an SBOM at build time in CycloneDX or SPDX (e.g. Syft) and attach it to the artifact; show you can query it for a given component and version.
• Add provenance and signing: produce SLSA provenance for the release artifact and sign it with Sigstore / cosign (keyless OIDC is fine), then add a deploy gate that runs `cosign verify` against the expected build identity and rejects anything unsigned or foreign-built.
• Scope CI least-privilege: set the default token to read-only, grant write/publish only to the release job, and ensure untrusted (fork PR) code never runs with publish secrets.
• Plant three attacks and show each control catches them: (a) tamper a vendored tarball's bytes under the same version and show `npm ci` fails the hash; (b) publish a higher-version public package under an internal name and show precedence blocks it; (c) push an unsigned or mismatched-identity image and show the cosign deploy gate rejects it.

• A before/after table of controls: install command, version pinning, --ignore-scripts, dependency review, registry precedence, SBOM, provenance, signing, token scope — each marked present/absent with the config diff that enabled it.
• Evidence each planted attack is caught: the failing `npm ci` hash-mismatch log, the blocked confusion resolution, and the rejected cosign verify — pasted output, not described.
• A generated SBOM attached to the artifact plus a worked query showing you can answer 'is component X at version Y present?' against it.
• A one-paragraph write-up mapping each control to the documented incident it defends against (lockfile/hash → event-stream/ua-parser-js; precedence → Birsan confusion; provenance/signing → xz-utils), and why hashes alone were insufficient.