P-SSCRM Documentation

E.1.2 Version control

Control Details

Objective

Prevent unauthorized changes to artifacts, both inadvertent and intentional.

Definition

Store project artifacts, including but not limited to source code, executable code, infrastructure as code, AI models, and configuration-as-code, in a repository with restricted access using the principle of least privilege based on the nature of the artifact. Use version control to track and store all changes to this code with accountability to an authenticated individual account with access granted to personnel, tools, and services. As appropriate, sign or encrypt artifacts. Indefinitely retain change history.

Assessment Questions

  1. Describe how code and other important project artifacts are stored, e.g., with version control with access granted to strongly-authenticated personnel using the principle of least privilege.

Reference sources

  1. EO 4e(i)C 4e(iii) 4e(iv)
  2. SSDF PS.1.1
  3. SSDF-AI PS.1.1 PS.1.2 PS.1.3
  4. 800-161 SA-8, SA-10
  5. CNCF-SSC SC-V Authenticate and monitor repository activity
  6. OWASP-SCVS 4.10
  7. SLSA Source L1:  Version controlled
  8. SAMM I-SB-1-A