E.1.4 Developer SSH key

Control Details

Objective

Decrease the chances developer account will be compromised.

Definition

Use SSH keys or SSH certificates for developers and agents in CI/CD pipelines to access source code repositories from their development tools rather than traditional passwords/credentials that are more likely to be compromised. Passphrases should be used to protect SSH keys.

Assessment Questions

1. How do you avoid using passwords, e.g., through the use of SSH keys, SSH certificates, or short-term rotated Access Tokens?

Reference sources

1. CNCF-SSC SC-SA: Use SSH keys to provide developers access to upstream source code repositories