Playbook
Our regulator is going to ask about supply-chain security and we have no answer
After the recent wave of supply-chain attacks, the CISO needs an audit-defensible answer for what is in production. GitHub Advanced Security would surface vulnerabilities, secret leaks, and dependency risks — but the team is split across GitHub and Azure DevOps and adoption is uneven.
Trigger — Regulator interest in supply-chain risk; recent industry incidents.
Good outcome — GHAS live across repos, CodeQL findings triaged, secret scanning enforced, supply-chain attestations produced for production releases.