|
Producing artifacts
|
G.1.3 Produce attestation
|
|
Distributing provenance
Source L3: Signed and auditable provenance
|
G.1.4 Deliver provenance
|
|
Source L3: Signed and auditable provenance
|
G.1.5 Deliver SBOM
|
|
Verifying artifacts
|
G.3.1 Security-related contract terms
|
|
Distributing provenance
Source L3: Signed and auditable provenance
|
P.1.2 Software release integrity
|
|
Verifying artifacts
Build L1: Provenance exists
|
P.3.4 Vetted third-party component and container repositories
|
|
Source L4: Two-party review
|
P.4.1 Security code review
|
|
Source L3: Signed and auditable provenance
|
E.1.1 Safely store release artifacts
|
|
Source L1: Version controlled
|
E.1.2 Version control
|
|
Source L2: Controls
|
E.1.5 Branch protection
|
|
Build L2: Hosted build platform
|
E.2.1 Release policy verification
|
|
Verifying artifacts
|
E.2.2 Verify dependencies and environment
|
|
Verifying build platforms
|
E.2.3 Defensive compilation and build
|
|
Build L2: Hosted build platform
Source L3: Signed and auditable provenance
|
E.2.4 CI/CD hosting and automation
|
|
Build L3: Hardened builds
|
E.2.5 Secured orchestration platform
|
|
Build L3: Hardened builds
|
E.2.8 Hardened and isolated builds
|