P-SSCRM Documentation

E.2.2 Verify dependencies and environment

Control Details

Objective

Ensure the build environment's sources and dependencies come from a secure, trusted source of truth

Definition

Analyze the integrity of build tools, components, and containers before bringing them into the pipeline. Validate the point of origin/provenance, checksums, and signatures in the downloading and ingesting processes. Request SBOM, provenance, and self-attestation to aid in achieving this goal.

Assessment Questions

  1. How do you track packages back to their repositories?
  2. How do you verify the integrity (i.e. digital signature or hash match) and the provenance data of each component and container?
  3. How do you validate that the build environment's sources and dependencies come from a secure, trusted source of truth?
  4. What is your dependency version constraint strategy, e.g. how do you manage pinning and floating versions of your dependencies?
  5. How do you validate that the deployment environment's sources and dependencies come from a secure, trusted source of truth?

Reference sources

  1. OSSF-Scorecard pinned-dependencies
  2. SLSA Verifying artifacts
  3. OWASP-SCVS 1.10 4.13 4.19
  4. S2C2F AUD-1 AUD-3 AUD-4
  5. CNCF-SSC M-V: Verify third-party artifacts and open source artifacts BP-V: Validate environments and dependencies before usage D-V Admission controller/deployment gate