P-SSCRM Documentation

E.2.8 Hardened and isolated builds

Control Details

Objective

Protect the integrity of build output

Definition

Builds should run in an ephemeral and hermetic (isolated and sealed) environment with no parameters or network connectivity except to the hardened local repository of source code and dependencies and code signing infrastructure.

Assessment Questions

  1. How do you ensure that the build service runs in an ephemeral environment, such as a container or VM, provisioned solely for the build?
  2. How do you ensure that the build service runs in an isolated environment free of influence from other build instances?
  3. How can the build output be affected by user parameters other than the build entry point?
  4. Is the build run with no network access (i.e., hermetic)?

Reference sources

  1. SSDF PW.6.2
  2. OWASP-SCVS 3
  3. SLSA Build L3: Hardened builds
  4. CNCF-SSC Build L3: Hardened builds BP-A Build Workers Should be Single Use BP-CE Ensure Build Pipeline has minimal network connectivit BP-CE Segregate the Duties of Each Build Worker BP-CE Pass in Build Worker Environment and Commands