Software supply chain security is a fast-growing discipline with its own vocabulary. Learn the collocations for SBOMs, dependency audits, provenance verification, trusted registries, and cryptographic attestation in professional security discussions.
0 / 5 completed
1 / 5
The security team required all releases to include a complete SBOM to ___ the provenance of every dependency.
Verify provenance is the standard supply chain security collocation. 'Document provenance' is about recording, not confirming; 'confirm' is less technical; 'establish provenance' implies creating it. 'Verify provenance' is the precise SLSA and SBOM term for confirming where a component came from and that it has not been tampered with.
2 / 5
After the SolarWinds incident, many organizations began to ___ a software bill of materials for every release artifact.
Generate an SBOM is the technical collocation for automated creation of a Software Bill of Materials. 'Create' and 'produce' are accurate but less precise; 'publish' is about distribution. 'Generate' reflects the automated, tooling-driven nature of SBOM creation in modern CI/CD pipelines.
3 / 5
The DevSecOps team set up an automated scanner to ___ vulnerable dependencies before they reached the main branch.
Detect vulnerable dependencies is the natural supply chain security collocation. 'Find' is informal; 'catch' is conversational; 'identify' is also correct but less automated-sounding. 'Detect' implies the scanner actively discovers threats — the appropriate term for automated security tooling.
4 / 5
We enforce that all container images must ___ cryptographic attestation before they can be deployed to production.
Carry cryptographic attestation is the natural supply chain security collocation. 'Include attestation' is also used; 'have' is too informal; 'contain' is imprecise. 'Carry attestation' is the idiomatic phrasing in SLSA and Sigstore documentation for artifacts that embed signed provenance metadata.
5 / 5
The policy required all third-party packages to be sourced only from ___ registries that have been security-vetted.
Trusted registries is the standard supply chain security collocation. 'Approved registries' is also common in policy language; 'verified' and 'certified' are outcomes of the vetting process, not descriptors of the registry. 'Trusted registries' is the precise zero-trust and artifact management term in software supply chain security policy.