Controlled Build Environment #
Control Code: KBC3
TLDR: Build environments must be defined as code, ephemeral, and auditable
Rationale: A secure build environment is the foundation for a mitigating software supply chain attacks. Build environments defined as code protect against interference that can happen in the build and distribution processes.
Background #
Builds that are scripted, ran in an ephemeral and controlled build environment are more resilient against supply chain attacks. If at all possible, we recommend teams use immutable docker images to define the build environment. This enables auditing of the build environment, as well as security scanning and version control.
You can learn more about build security levels defined in the slsa specification.
How we implement this control #
- Our officical builds occur in Github pipelines defined as code
- Each step runs in an immutable container
- Each build fingerprint is stored using Binary Provenance