E.2.7 Build output

Control Details

Objective

Through protected build environments, reduce human error and malicious actions and artifacts that cause the output of the build process to contain security vulnerabilities.

Definition

Write the output from the build process to separate storage from the inputs. A process separate from the build process should upload the artifact to the appropriate deployable repository.

Assessment Questions

1. How does the project store the build artifacts?
2. How does the project build and publish official packages?

Reference sources

1. OSSF-Scorecard packaging
2. CNCF-SSC BP-CE: Write output to a separate secured storage repo