P-SSCRM Documentation

E.2.4 CI/CD hosting and automation

Control Details

Objective

Through automated builds, reduce human error and malicious actions and artifacts that cause the output of the build process to contain security vulnerabilities.

Definition

All CI/CD pipeline build steps should be automated with automation standardized across the enterprise via clear templated build pipelines that meet organizational standards. This automation should be treated as 'pipeline as code' with modifications being reviewed and should be immutable. The build runs on a hosted build platform that generates and signs the provenance.

Assessment Questions

  1. How do you ensure reproducibility of your build processes, e.g. through defined build scripts, with the only manual step being to invoke the script?
  2. Do you store the build definition executed by the build service in a version control system fetched through a trusted channel with a trustworthy provenance chain?
  3. How do you ensure the build environment is reproducible, e.g.Does the build run on a hosted build platform?
  4. How are the build steps, sources, and dependencies declared up front with immutable references/use immutable artifacts stored in a local repository manager?
  5. How are infrastructure, build scripts, and GitHub Actions handled 'as code', such as with code review, scanning, testing, and version control?
  6. How are configuration changes reviewed?
  7. How are CI/CD pipelines standardized across the enterprise?

Reference sources

  1. EO 4e(iv)
  2. SSDF PW.6.2
  3. SSDF-AI PW.6.2
  4. BSIMM SE2.4 SE3.2
  5. SLSA Build L2: Hosted build platform Source L3: Signed and auditable provenance
  6. OWASP-SCVS 2 3
  7. OSSF-Scorecard dangerous-workflow token-permissions pinned-dependencies
  8. CNCF-SSC BP-A: Build and related CI/CD should be automated BP-A: Standardize pipeline across projects BP-A: Build workers should be single-use BP-CE: Ensure software factory had minimal network connectivity BP-CE: Pass in build worker environment and commands BP-SA: Only allow pipeline modifications through 'pipeline as code'
  9. Self-attestation 4
  10. SAMM I-SB-1-A