P-SSCRM Documentation

P.3.2 Trusted repositories

Control Details

Objective

Obtain candidate packages and containers from trusted ecosystems or rebuild.

Definition

Trusted public repositories may require signed packages and provide the means to verify the signatures; the packages and containers from these ecosystems should still be scanned. Organizations should host scanned repositories for high-assurance software and restrict build machines to only those sources.

Assessment Questions

  1. Describe any guidelines you have for searching for candidate components in package managers trusted by your organization?
  2. How do you develop, publish, and maintain lists of container registries you trust?

Reference sources

  1. OWASP-SCVS 1.2 4.19
  2. S2C2F ING-1
  3. CNCF-SSC M-V: Define trusted package managers, repositories, and libraries
  4. OSPS OSPS-AC-03 OSPS-AC-04 OSPS-BR-01 OSPS-BR-06 OSPS-DO-03 OSPS-DO-06 OSPS-QA-02