E.2.1 Release policy verification

Control Details

Objective

Ensure the products, materials, and processes used during the build pipeline adhere to the established product and organizational release policy

Definition

A release policy should be maintained as a policy template and outline the required workflow while the software is developed, built, tested, and packaged to ensure the integrity, authentication, and auditability of a software product from initiation to end-user installation. A framework, such as in-toto, can produce meta-data during the build pipeline to enable attestation to the steps in the desired workflow. The meta-data can be analyzed to ascertain whether the steps in the workflow have occurred and to produce cryptographic guarantees by hashing and signing the inputs and outputs of steps in the pipeline.

Assessment Questions

1. How do you specify a templated build policy that specifies the required build workflow to ensure the integrity, authentication, and auditability?
2. How do you verify the build policy in a cryptographically provable way, such as with in-toto?

Reference sources

1. SLSA Build L2: Hosted build platform
2. CNCF-SSC BP-V Enforcing policy SC-V Require verification attestations / confirmation A-V Policy