A primary blockchain for a software application is created that comprises a first block associated with a software component of the software application. An event is received that is associated with the software component. In response to receiving the event, a component blockchain is created that is associated with the software component. The component blockchain comprises a second block associated with the event. The component blockchain links to the primary blockchain. This provides a structure for managing supply chains of software components. As new software components are received, the new software components can be managed and tracked for quality/security.