Olympus Docs
SecurityInfrastructure

Supply chain security

Defending the Olympus build and dependency chain

Software supply-chain attacks are an emerging risk. Olympus addresses several layers; some are your responsibility.

What's in Olympus's chain

LayerRiskOlympus mitigation
Source codeRepo compromiseGitHub Actions runs in protected envs; commits push-to-main with CI gates
DependenciesMalicious npm packagePinned versions, source-only @olympusoss/*
BuildCI compromiseWorkflow runs with limited GH token scopes
Container imagesHijacked imageDigest pinning (ADR 0014)
Base imagesVulnerable upstreamBun and Ory base images pinned by digest
CaddyPlugin tamperingReproducible build (Security, Caddy supply chain)
PostgresVulnerable enginePinned by version; managed providers patch
TLS certsCert mis-issuanceCert Transparency monitoring

SBOM (Software Bill of Materials)

For SOC 2 / FedRAMP / EU CRA compliance, generate an SBOM:

# For npm dependencies
bun install --frozen-lockfile
npx @cyclonedx/cdxgen -t npm -o bom.json

# For container images
syft ghcr.io/olympusoss/athena:v2.10.0 -o spdx-json > athena-sbom.json

Distribute SBOMs alongside releases. Audit any "high" CVE entries.

Reproducible builds

The custom Caddy build is reproducible, same inputs → same image digest. Verify:

podman pull ghcr.io/olympusoss/caddy:vX.Y.Z
podman inspect ghcr.io/olympusoss/caddy:vX.Y.Z --format '{{.Id}}'
# Should match the digest in caddy-build.yml's commit

Athena/Hera/Site images are Next.js standalone builds, not bit-for-bit reproducible (Next includes build timestamps), but the source AND the dependency lockfile are reproducible.

Signing

Future enhancement: sign images with Sigstore/cosign:

cosign sign ghcr.io/olympusoss/athena:v2.10.0
# Verify at pull time
cosign verify ghcr.io/olympusoss/athena:v2.10.0 --certificate-identity=github-actions

Not currently shipped; on the roadmap.

Dependency review

Before adding a new dependency:

  1. What does it do? Read the README and a representative source file.
  2. How many maintainers? A 1-person package can be hijacked when they get burned out.
  3. Recent commits? Active maintenance.
  4. Known vulnerabilities? npm audit, OSV.dev.
  5. License compatible? Source-only NPM packages are GPL-allergic; most permissive licenses fine.

Compromised dependency response

If a maintained dependency turns out to be compromised:

  1. Pin to the last known-good version.
  2. Audit your build for what the compromised version did.
  3. Rotate any secrets the dependency could have seen.
  4. Update Dependabot to exclude that version range until a clean version is published.

What you handle outside Olympus

  • Your VPS provider's supply chain, choose providers with SOC 2 attestations.
  • Your DNS provider, DNS hijacking lets attackers obtain certs.
  • Your CDN, Cloudflare/Fastly/CloudFront issue your edge cert.
  • Your team's laptops, git push from a compromised dev machine.

Audit cadence

  • Daily: Dependabot.
  • Quarterly: dep tree review.
  • Annually: external pentest, SBOM publication.

Security Headers

HSTS, X-Frame-Options, Referrer-Policy, and other Caddy security headers

Threat model

What Olympus defends against, and what it doesn't

On this page

What's in Olympus's chainSBOM (Software Bill of Materials)Reproducible buildsSigningDependency reviewCompromised dependency responseWhat you handle outside OlympusAudit cadenceRelated