Supply Chain Security

The Supply Chain Attack Surface: From Registry to Runtime

Attack Scenarios:

• Malicious publish: Attacker gains npm publish rights, pushes backdoored version.
• Dependency confusion: Attacker publishes @myorg/internal-tool to public npm.
• Registry compromise: npm itself is breached, serves modified tarballs.

MCPTrust's Role: Verify that the artifact you're about to run matches what was approved.

Artifact Pinning

What gets pinned (in mcp-lock.json):

"artifact": {
  "type": "npm",
  "name": "@scope/package",
  "version": "1.2.3",
  "registry": "https://registry.npmjs.org",
  "integrity": "sha512-abc123...",
  "tarball_url": "https://registry.npmjs.org/@scope/package/-/package-1.2.3.tgz",
  "tarball_sha256": "def456..."
}

Fields:

Verification Workflow

Commands:

# Basic metadata check (fast, no download)
mcptrust artifact verify mcp-lock.json
 
# Deep verification (downloads tarball, verifies SHA-256)
mcptrust artifact verify --deep mcp-lock.json
 
# Provenance verification (checks SLSA attestation)
mcptrust artifact provenance mcp-lock.json

Provenance (SLSA)

What is SLSA?: Supply-chain Levels for Software Artifacts. A framework for ensuring build integrity.

What MCPTrust checks:

1. Package has Sigstore attestation on npm.
2. Attestation signature is valid.
3. Source repo matches expected pattern (optional --expected-source).

[!NOTE] Running mcptrust lock --verify-provenance will populate a detailed artifact.provenance section in the lockfile with the verified builder details and build timestamp.

Example:

mcptrust artifact provenance \
  --expected-source "^https://github.com/modelcontextprotocol/.*" \
  mcp-lock.json

Network Security (SSRF Protection)

Blocked by default:

• Private IPs (10.x, 172.16-31.x, 192.168.x, 127.x, ::1)
• Link-local (169.254.x, fe80::/10)
• Loopback, CGNAT, TEST-NETs

Override (for private registries):

mcptrust artifact verify --deep --unsafe-allow-private-tarball-hosts mcp-lock.json

Other protections: HTTPS only, max 5 redirects, no scheme downgrade.