[trishankdatadog]

Don't miss how we used TUF [1] and in-toto [2] to build compromise-resilient CI/CD (the first in the industry AFAICT) for the Datadog Agent integrations [3][4] that detects attacks anywhere between our developers and end-users

[1] https://theupdateframework.io/

[2] https://in-toto.io/

[3] https://www.youtube.com/watch?v=9hCiHr1f0zM

[4] https://dtdg.co/integrations-tuf-in-toto

[p932]

How this pattern/toolset protect against supply chain compromises of the dependencies used to build the "Datadog Agent" itself?

[trishankdatadog]

Apply pattern/toolset recursively. Software supply chain problems largely eventually solved this way.

[p932]

Is there any initiative in this direction towards applying this pattern on big dependency management tools (e.g maven, pip, npm)?

[trishankdatadog]

Yes, please see PEP 458: https://www.python.org/dev/peps/pep-0458/