P.3.3 Require signed commits

Control Details

Objective

Utilize legitimate components and software that has not been tampered with.

Definition

Using code that has been contributed with signed source code commits provides an integrity mechanism.

Assessment Questions

1. How do you require the software producers to sign code commits of the components and tools you bring into your product?

Reference sources

1. BSIMM SE2.4
2. CNCF-SSC BP-SA: Sign every step in the build process SC-V Require verification attestations / confirmation
3. OSPS OSPS-AC-01 OSPS-BR-06 OSPS-DO-03 OSPS-QA-07