Available at: https://digitalcommons.calpoly.edu/theses/3332
Date of Award
6-2026
Degree Name
MS in Computer Science
Department/Program
Computer Science
College
College of Engineering
Advisor
Bruce DeBruhl
Advisor Department
Computer Science
Advisor College
College of Engineering
Abstract
CubeSat and small-satellite teams increasingly assemble software from open-source frameworks, third-party libraries, inherited code, and cloud-hosted CI/CD workflows. This expands the software supply chain beyond code the mission team controls, yet prior work has not systematically measured how consistently CubeSat-adjacent projects adopt supply chain controls or how practitioners explain adoption constraints. This thesis uses an exploratory mixed-methods design, combining an analysis of 56 public CubeSat repositories with eight semi-structured interviews with CubeSat practitioners. The repository analysis measured visible controls including dependency pinning, lockfiles, GitHub Actions permissions, action pinning, SBOM indicators, release integrity assets, and governance files. Adoption was uneven and concentrated in low-effort, default practices. Twenty-one of the 56 repositories showed no visible controls, and higher-maturity controls such as SBOM generation and signed releases were rare. Interviews identified heritage reuse, informal trust, compatibility risk, student turnover, and limited bandwidth as key constraints. Because a CubeSat is difficult to correct after launch, these public configurations are inherited downstream and can shape what reaches flight and ground software, which makes repository-level hygiene part of mission assurance. The thesis contributes an empirical baseline, a practitioner centered explanation of adoption barriers, and a maturity-tiered framework that stages controls by team capacity.