|
2.14
2.15
5.12
|
G.1.2 Software license conflict
|
|
6.1
6.2
6.3
6.4
|
G.1.4 Deliver provenance
|
|
1.4
2
|
G.1.5 Deliver SBOM
|
|
1
|
G.2.5 Asset inventory
|
|
1.5
|
G.3.1 Security-related contract terms
|
|
4.12
6
|
P.1.2 Software release integrity
|
|
3.20
3.21
|
P.2.1 Security design review
|
|
1.2
4.19
|
P.3.2 Trusted repositories
|
|
5
|
P.3.4 Vetted third-party component and container repositories
|
|
5.1
5.4
|
P.4.2 Automated security scanning tools
|
|
5.1
5.2
|
P.4.3 Automated vulnerability detection
|
|
5
5.8
|
P.4.5 Regular third-party compliance
|
|
5.4
|
P.5.1 SBOM consumption
|
|
5.8
|
P.5.2 Dependency update
|
|
6.3
|
E.1.1 Safely store release artifacts
|
|
4.10
|
E.1.2 Version control
|
|
4.5
|
E.1.3 Multi-factor authentication (MFA)
|
|
4.17
|
E.1.5 Branch protection
|
|
5.8
|
E.1.6 Decommission assets
|
|
1.10
4.13
4.19
|
E.2.2 Verify dependencies and environment
|
|
3
|
E.2.3 Defensive compilation and build
|
|
2
3
|
E.2.4 CI/CD hosting and automation
|
|
3
|
E.2.8 Hardened and isolated builds
|