Fork this repo
Dependency Management

Dependency Management #

TLDR: Every dependency is defined securely, managed, and auditable
Rationale: Inputs to the build process can introduce security and quality issues, and as such must be defined, controlled, and transparent as part of the software development lifecycle.

Background #

Key points:

  • You must have control over what dependencies are packaged in your software
  • All dependencies must comply with licensing requirements
  • Must only use software with licences agreed by Kosli

Dependencies can include docker base images, 3rd-party libraries, and other source code.

Dependency Management

During build, these inputs to the build package can be recorded as the software bill-of-materials while recording binary provenance

How we implement this control #

We define these dependencies in the source code, at the application level and if relevent, at the Docker image level.

Application Dependencies
CLI Golang Dependencies
Server Python Dependencies
Docker Dependencies
Slack Application Python Dependencies
Docker Dependencies

© Kosli 2022, all rights reserved
CCPA Do not sell my info