Dependency Management #
Control Code: KBC4
TLDR: Every dependency is defined securely, managed, and auditable
Rationale: Inputs to the build process can introduce security and quality issues, and as such must be defined, controlled, and transparent as part of the software development lifecycle.
Background #
Key points:
- You must have control over what dependencies are packaged in your software
- All dependencies must comply with licensing requirements
- Must only use software with licences agreed by Kosli
Dependencies can include docker base images, 3rd-party libraries, and other source code.
During build, these inputs to the build package can be recorded as the software bill-of-materials while recording binary provenance
How we implement this control #
We define these dependencies in the source code, at the application level and if relevent, at the Docker image level.
| Application | Dependencies |
|---|---|
| CLI | Golang Dependencies |
| Server | Python Dependencies Docker Dependencies |
| Slack Application | Python Dependencies Docker Dependencies |