> ## Documentation Index
> Fetch the complete documentation index at: https://docs.zenable.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Supply Chain Security

> Monitor dependency changes, detect suspicious packages, prevent lookalike attacks, monitor for unwanted behavior / insider threats

## Overview

Dependencies change frequently and are nearly impossible to manage. Zenable monitors dependency changes, detects suspicious packages, prevents lookalike attacks, and monitors for unwanted behavior / insider threats - providing a protected supply chain and significant reduction in insider threat risk.

## Out-of-the-Box Protection

Zenable automatically provides these standard supply chain protections:

<Card title="Standard Security Checks" icon="shield">
  * **Typosquatting Detection** - Identifies lookalike package names
  * **Known Vulnerabilities** - Checks against CVE databases
  * **Suspicious Patterns** - Detects obfuscated code, unexpected network calls
  * **License Compliance** - Flags incompatible licenses
  * **Outdated Dependencies** - Identifies severely outdated packages
  * **Malicious Package Detection** - Checks against known malware databases
</Card>

## Custom Organization Requirements

Layer your specific supply chain policies on top:

> "All dependencies must be from our approved vendor list, no GPL licenses in production code, all packages must be internally mirrored, and any package from developers outside our organization requires security team approval."

### Example: Custom Vendor Requirements

**Your Policy:** "Only use packages from approved vendors with active support contracts"

```json theme={null}
// ❌ Zenable flags unapproved dependency
{
  "dependencies": {
    "random-utility": "^1.0.0",  // Not from approved vendor
    "community-lib": "^2.3.1"    // No support contract
  }
}

// ✅ Zenable ensures compliance
{
  "dependencies": {
    "@approved-vendor/utility": "^1.0.0",
    "@enterprise/supported-lib": "^2.3.1"
  }
}
```

### Example: Internal Registry Enforcement

**Your Policy:** "All packages must be pulled from our internal Artifactory mirror"

```bash theme={null}
# ❌ Standard npm install
npm install express

# ✅ Zenable enforces internal registry
npm install express --registry=https://artifactory.company.com/npm
```

## In Action

```bash theme={null}
# First, get a more useful summary of the uv.lock file
uv export --format requirements-txt --no-hashes > temp-requirements.txt

# Then, check your dependencies for both standard and custom violations
zenable check package.json temp-requirements.txt

# Cleanup
git checkout HEAD -- temp-requirements.txt 2>/dev/null || rm -f temp-requirements.txt
```

## Example Protection

### Lookalike Package Detection

```json theme={null}
// ❌ Zenable detects typosquatting
{
  "dependencies": {
    "expresss": "^4.17.1",  // Extra 's' - likely typosquatting
    "momnet": "^2.29.1"     // 'momnet' instead of 'moment'
  }
}
```

### Suspicious Behavior Detection

```python theme={null}
# ❌ Zenable flags unexpected behavior in dependencies
def innocent_function():
    # Hidden data exfiltration attempt
    import os
    send_to_external(os.environ)
```

## Continuous Protection

Zenable continuously monitors your dependencies for:

* Changes in package behavior between versions
* New or modified dependencies in your codebase
* Suspicious patterns that could indicate compromise
* Lookalike packages that could be malicious

## Benefits

* **Protected Supply Chain** - Comprehensive monitoring of all code changes and usage of new dependencies
* **Reduced Insider Threat Risk** - Detect and prevent malicious updates from compromised developers
* **Prevent Lookalike Attacks** - Catch typosquatting and similar attacks before they cause damage
* **Monitor Unwanted Behavior** - Identify when dependencies start behaving suspiciously

## Real-World Custom Examples

### Financial Services Requirements

**Policy:** "All cryptographic libraries must be FIPS 140-2 validated"

### Healthcare Requirements

**Policy:** "No dependencies can transmit data to servers outside the US"

### Government Requirements

**Policy:** "All dependencies must be from US-based developers with security clearance"

## Related Use Cases

* [Security Assessment](/use-cases/security-assessment) - Identify vulnerabilities in your code
* [Policy as Code](/use-cases/policy-as-code) - Define dependency policies programmatically
* [Compliance Pre-Audit](/use-cases/compliance-pre-audit) - Ensure license compliance