Skip to main content

Supply Chain Security

Atticus Health is formalizing supply chain security controls from dependency selection through production deployment, with automated scanning, service-specific builds, and deployment gates at every stage.

info

Supply chain security controls are being formalized as part of SOC 2 preparation. This page describes our target practices — some are in place today, others are being implemented.

Dependency Management

  • Lockfile enforcement — All projects use lockfiles committed to source control; installs are reproducible
  • Automated scanning — Dependencies scanned for known vulnerabilities on every pull request
  • License compliance — Dependency license auditing for compatibility with healthcare deployment requirements (being formalized)
  • Update cadence — Regular dependency update cycles with security patch prioritization (automating)

Container Image Security

  • Approved base images — Containers derive from a curated set of base images
  • Image scanning — Container image scanning for vulnerabilities (being implemented)
  • Minimal images — Multi-stage builds produce minimal production images, reducing attack surface
  • Pinned versions — Image references use immutable versions, never floating tags

CI/CD Pipeline Integrity

Atticus Health uses automated pipelines with service-specific targeting — only the services affected by a change are built and deployed:

  • Pipeline as code — All CI/CD pipelines defined in version-controlled configuration
  • Branch protection — Main and release branches require pull request approval, passing CI, and no force-push
  • Service-specific builds — Each microservice builds independently, preventing unrelated changes from affecting other services
  • Automated testing — Unit tests, integration tests, and code quality checks run on every change
  • Deployment gates — Promotion through environments (dev → test → staging → production) requires passing all quality gates
  • Automated rollback — Production deployments roll back automatically if health checks fail

Code Quality

  • Required code review — All changes require at least one approved review before merge
  • Static analysis — Linting and strict type checking enforced in CI
  • Secret scanning — Pre-commit hooks and CI checks prevent accidental secret commits
  • Consistent standards — Automated formatting and style enforcement across all services

SBOM (Software Bill of Materials)

  • Generated per service — Software Bill of Materials generation as part of the CI pipeline (planned)
  • Standard format — Will be available in industry-standard format for interoperability
  • Available on request — SBOMs to be provided to customers as part of security review process