Your application's attack surface is far larger than your own repository. It includes every dependency you pull, every GitHub Action in your workflows, every base image in your Dockerfiles, and the CI system that assembles them. Software supply-chain security is the practice of defending that whole chain.
The threat is leverage. Compromising one popular package, one unpinned Action, or one build server can reach thousands of downstream projects automatically — as the SolarWinds, Codecov, and event-stream incidents all showed. The attacker doesn't need to breach you; they breach something you trust.
Defences are concrete: pin dependencies and Actions to immutable versions (a commit SHA, not a moving tag), generate and verify an SBOM, scan for known-vulnerable packages, lock down CI permissions so a poisoned step can't exfiltrate secrets, and watch for typosquatted or newly-malicious packages.