← Back to DocsRecipe

Supply chain attack response runbook

Step-by-step containment and recovery when a dependency, build tool, or CDN artifact is compromised.

Phase 1 — Detect

  • Verify checksums of all fetched dependencies against lockfile.
  • Audit CI logs for unexpected outbound connections during build.
  • Compare deployed binary hashes against known-good build artifacts.

Phase 2 — Contain

  • Freeze all deployments. Pin the CDN to a last-known-good revision.
  • Revoke signing keys and rotate any secrets exposed during the window.
  • Quarantine affected packages in a private registry for forensic analysis.

Phase 3 — Eradicate

  • Rebuild the entire supply chain from audited, pinned sources.
  • Re-sign all artifacts with fresh keys on an air-gapped machine.
  • Purge compromised versions from all caches and mirrors.

Phase 4 — Recover

  • Deploy the clean build to a staging environment and run full integration tests.
  • Gradually roll out to production with real-time monitoring enabled.
  • Publish a post-mortem and update the threat model.

Meridian tip: Maintain an offline copy of every dependency tarball. When the registry is compromised, your air-gapped cache is the only source of truth.