Detecting Supply Chain Threats

Abstract

This study investigates the detection of supply chain threats in open-source software by developing an innovative system that integrates scraping techniques and artificial intelligence (AI) for intent analysis. The project aims to address critical vulnerabilities by analysing git commit messages and corresponding code changes, ensuring enhanced transparency and security in the software supply chain. The proposed system comprises a GitHub scraper that retrieves structured data using GraphQL and REST APIs, over- coming API rate limitations for efficient data collection. The collected data is processed by an AI model, ”Baymax,” which employs large language models (LLMs) to evaluate the alignment between commit messages and code changes. The system is designed with scalability and modularity to accommodate repositories of varying sizes and com- plexities. The project was implemented using Agile Scrum methodologies, employing iterative development practices with tasks prioritised through the MoSCoW framework. Collaboration within the development team was structured through specialised roles, and progress was monitored via sprints, stand-ups, and retrospectives. The results indicate that the system effectively enhances the integrity of open-source software by identi- fying discrepancies indicative of potentially malicious changes. Future work includes expanding platform compatibility, improving system performance, and incorporating user feedback to improve accuracy. This research contributes to the growing field of software supply chain security, with implications for broader applications in software development and beyond.