View on Github
Controlled Build Environment

Controlled Build Environment #

Control ID: SDLC-CTRL-0003 | Type: Preventive

Summary #

Build environments are defined as code, ephemeral, and auditable, providing resilience against supply chain attacks.

Mitigates Risk

SDLC-RISK-0001:
Supply Chain Compromise

Description #

Builds that are scripted and executed in ephemeral, controlled build environments are more resilient against software supply chain attacks. Defining build environments as code protects against interference that can occur during the build and distribution processes.

Using immutable container images to define the build environment enables auditing of the build toolchain, as well as security scanning and version control of the environment itself. Ephemeral environments ensure that no persistent state from previous builds can influence subsequent builds.

Requirements #

  • Build environments MUST be defined as code and stored in version control
  • Build steps MUST be scripted and reproducible
  • Build environments SHOULD be ephemeral — created fresh for each build and destroyed afterwards
  • Build environment definitions SHOULD use immutable container images where possible
  • Build artefact fingerprints MUST be recorded for traceability

How we implement this control #

  • Our official builds occur in GitHub pipelines defined as code
  • Each step runs in an immutable container
  • Each build fingerprint is stored using Binary Provenance
Toolchain
You can learn more about build security levels defined in the SLSA specification.

Compliance Frameworks #

NIST SP 800-53 Rev. 5
  • SA-10 — Requires the development environment to be configured and controlled.
  • SA-11 — Developer testing and evaluation — controlled build environments ensure consistent and reproducible test conditions.
  • SA-15 — Development process, standards, and tools — mandates use of controlled development tools and environments.
  • CM-2 — Baseline configuration — ephemeral build environments defined as code establish a known baseline for every build.
  • CM-6 — Configuration settings — build environment configuration must be defined as code and version-controlled.
  • SI-7 — Software and information integrity — immutable build containers prevent tampering during the build process.
SOC 2 Type II
  • CC8.1 — Requires controlled change management infrastructure; a controlled build environment ensures reproducible, auditable builds.
  • CC6.1 — Requires logical access controls; maps to restricting who can modify build pipelines and CI/CD configuration.
  • CC7.1 — Requires detection of anomalous activity; controlled build environments limit the blast radius of compromised components.
The Secure SDLC Process Template is maintained by
© Kosli 2026, all rights reserved
CCPA Do not sell my info