Supply Chain Security
Third-party vendor risk management, continuous monitoring, automated risk assessments, and vendor alert tracking. Provides SOC teams with visibility into the security posture of every vendor in the supply chain.
Overview
Modern SOC operations depend on dozens of third-party vendors -- SIEMs, EDR platforms, cloud providers, consulting partners, and data processors. A breach at any vendor directly impacts the organisation. The Supply Chain Security module gives security teams a centralised registry, automated risk scoring, and real-time alerting so that third-party risk is continuously managed rather than reviewed once per year.
Why This Module Is Needed
- Regulatory mandates (SOC 2, FedRAMP, NIST 800-161) require continuous third-party risk management.
- High-profile supply chain attacks (SolarWinds, Okta, MOVEit) demonstrate that vendor risk can become organisational risk overnight.
- Manual vendor assessments are slow, inconsistent, and quickly stale. Automated scoring keeps risk data current.
- Centralised vendor alerting closes the gap between a vendor disclosure and an internal response action.
What Was Proposed
- Vendor registry with tiering (critical / high / medium / low) and categorisation (software, infrastructure, cloud, consulting, data processor).
- Automated risk assessment engine with composite scoring across four dimensions: security posture, compliance, breach history, and attack surface.
- Vendor alert system for breaches, vulnerabilities, compliance lapses, certificate expiry, and reputation events.
- Dashboard with risk distribution, trend charting, contract expiry tracking, and top-risk vendor ranking.
- Full frontend with dashboard, vendor list, vendor detail, and assessment management pages.
What's Built
- Vendor registry with full CRUD (create, read, update) and filtering by tier, category, status, and risk score range
- 20 realistic demo vendors spanning 5 categories: CrowdStrike, Splunk, Microsoft, AWS, Okta, Snowflake, and more
- Automated risk assessment engine with weighted composite scoring (35% security posture, 25% compliance, 20% breach history, 20% attack surface)
- 7 pre-seeded vendor alerts covering breaches, CVEs, compliance lapses, certificate expiry, and reputation events
- Dashboard summary endpoint with vendor counts by tier/category, risk distribution, top 5 risks, expiring contracts, and unacknowledged alert count
- 90-day risk trend data endpoint with weekly data points for charting
- Alert acknowledgement workflow with analyst attribution and timestamp
- DB-first architecture with seamless demo-data fallback when database is unavailable
- Frontend dashboard page with KPI cards, risk distribution bars, top-10 riskiest vendor table, and recent alerts
- Frontend vendor inventory page with search, tier filter, category filter, and Add Vendor modal
- Frontend vendor detail page (dynamic route /supply-chain/vendors/[id])
- Frontend assessments page with status tabs (All / Pending / Completed), Run Now action, and score breakdown bars
Architecture
Data Flow
- Frontend pages call
/api/v1/supply-chain/*endpoints via theapiclient. - The FastAPI router validates inputs with Pydantic schemas and delegates to
SupplyChainService. - The service attempts a DB query first. If the database is unavailable (e.g. dev/demo mode), it falls back to in-memory demo data with 20 vendors, 20 assessments, and 7 alerts.
- Risk assessments use a weighted formula:
overall = 0.35 * security_posture + 0.25 * compliance + 0.20 * breach_history + 0.20 * attack_surface. The vendor risk score is100 - overall.
Source Files
| Layer | Path |
|---|---|
| Router | platform/api/app/routers/supply_chain.py |
| Service | platform/api/app/services/supply_chain.py |
| Models | platform/api/app/models/supply_chain.py |
| Schemas | platform/api/app/schemas/supply_chain.py |
| Frontend Dashboard | platform/frontend/src/app/supply-chain/page.tsx |
| Frontend Vendors | platform/frontend/src/app/supply-chain/vendors/page.tsx |
| Frontend Vendor Detail | platform/frontend/src/app/supply-chain/vendors/[id]/page.tsx |
| Frontend Assessments | platform/frontend/src/app/supply-chain/assessments/page.tsx |
Routing
Frontend Routes
| Route | Description |
|---|---|
/supply-chain | Dashboard -- KPIs, risk distribution, top-10 riskiest vendors, recent alerts |
/supply-chain/vendors | Full vendor inventory with search, tier/category filters, Add Vendor modal |
/supply-chain/vendors/[id] | Vendor detail -- latest assessment, alert count, contact info |
/supply-chain/assessments | Assessment management -- All/Pending/Completed tabs, Run Now, score breakdown |
API Endpoints
All endpoints are under /api/v1/supply-chain with the supply-chain tag.
# Vendor CRUD
GET /api/v1/supply-chain/vendors # List vendors (filter: tier, category, status, risk_min, risk_max)
POST /api/v1/supply-chain/vendors # Create vendor
GET /api/v1/supply-chain/vendors/{vendor_id} # Get vendor detail + latest assessment + alert count
PUT /api/v1/supply-chain/vendors/{vendor_id} # Update vendor
# Assessments
POST /api/v1/supply-chain/vendors/{vendor_id}/assess # Trigger new risk assessment
GET /api/v1/supply-chain/assessments # List all assessments
# Alerts
GET /api/v1/supply-chain/alerts # List vendor alerts
PUT /api/v1/supply-chain/alerts/{alert_id}/acknowledge # Acknowledge alert
# Dashboard
GET /api/v1/supply-chain/summary # Dashboard summary (counts, risk dist, top risks, expiring contracts)
GET /api/v1/supply-chain/risk-trend # 90-day risk trend (weekly data points)Prerequisites
- FastAPI backend with async SQLAlchemy and PostgreSQL (or demo mode for development).
- Next.js 14+ frontend with the
apiclient from@/lib/api-client. - Tenant middleware -- all endpoints read
request.state.tenant_idfor multi-tenant isolation. - Database migrations for the
vendors,vendor_risk_assessments, andvendor_alertstables (Alembic).
Data Model
Vendor
| Column | Type | Notes |
|---|---|---|
id | String(36) PK | UUID auto-generated |
tenant_id | String(36) | Indexed, multi-tenant key |
name | String(255) | Vendor display name |
domain | String(255) | e.g. crowdstrike.com |
category | String(50) | software / infrastructure / cloud / consulting / data_processor |
tier | String(20) | critical / high / medium / low |
risk_score | Float | 0 to 100, updated on assessment |
status | String(20) | active / under_review / archived |
contract_expiry | DateTime | Nullable |
primary_contact_name | String(255) | Nullable |
primary_contact_email | String(255) | Nullable |
description | Text | Nullable |
metadata | JSON | Flexible metadata store |
created_at | DateTime | Server default now() |
updated_at | DateTime | Auto-updated on change |
VendorRiskAssessment
| Column | Type | Notes |
|---|---|---|
id | String(36) PK | UUID |
vendor_id | String(36) FK | References vendors.id |
tenant_id | String(36) | Indexed |
status | String(20) | pending / in_progress / completed / expired |
overall_score | Float | Weighted composite (0-100) |
security_posture_score | Float | Weight: 35% |
compliance_score | Float | Weight: 25% |
breach_history_score | Float | Weight: 20% |
attack_surface_score | Float | Weight: 20% |
findings | JSON | Summary, critical/high/medium/low counts, recommendations |
assessed_by | String(255) | "ThreatOps AI Engine" or analyst name |
assessed_at | DateTime | Timestamp of assessment run |
expires_at | DateTime | 90-day expiry by default |
VendorAlert
| Column | Type | Notes |
|---|---|---|
id | String(36) PK | UUID |
vendor_id | String(36) FK | References vendors.id |
tenant_id | String(36) | Indexed |
alert_type | String(50) | breach / compliance_lapse / certificate_expiry / vulnerability / reputation |
severity | String(20) | critical / high / medium / low |
title | String(500) | Alert headline |
description | Text | Full description |
acknowledged | Boolean | Default false |
acknowledged_by | String(255) | Analyst who acknowledged |
acknowledged_at | DateTime | Nullable |
Relationships
Vendor→ has manyVendorRiskAssessment(lazy="selectin")Vendor→ has manyVendorAlert(lazy="selectin")
UI Description
Supply Chain Overview
Five KPI cards (Total Vendors, Critical Tier, Avg Risk Score, Active Alerts, Overall Risk Score with progress bar). Risk Distribution horizontal bars. Top 10 Riskiest Vendors table sorted by risk_score descending. Recent Vendor Alerts list with severity badges and time-ago formatting. Orange accent CTA button to View All Vendors.
Vendor Inventory
Full-width search bar, tier dropdown, category dropdown. Table with columns: Vendor, Domain, Category, Tier badge, Risk Score bar + number, Status badge, Last Assessed date, and detail link. Add Vendor modal with name, domain, category, and tier fields. Clicking a row navigates to vendor detail.
Vendor Detail View
Displays full vendor information including contact details, contract expiry, latest assessment breakdown with four score bars (Security Posture, Compliance, Breach History, Attack Surface), alert count, and findings summary.
Assessment Management
Four stat cards (Total, Pending/In Progress, Completed, Failed). Tab bar with All / Pending / Completed filters. Assessment cards show vendor name, status badge, type, assessor, and requested date. Completed assessments expand to show 4-dimension score breakdown bars. Pending assessments have a "Run Now" button that triggers the assessment API.