Profile Applicability:
Level 1
Description:
All build artifacts—such as binaries, libraries, packages, or container images—must include metadata detailing their origin. This includes information like source code version, build date, builder identity, and build environment. Embedding such provenance data enables traceability from artifact back to source, supporting accountability, debugging, and security investigations.
Rationale:
Including origin information in artifacts helps verify authenticity, detect tampering, and facilitate root cause analysis in case of failures or security incidents. It also assists compliance with audit requirements by linking deployed artifacts to specific source versions and build processes.
Impact:
Pros:
Enhances traceability and accountability of deployed artifacts.
Facilitates debugging and incident investigation.
Supports compliance and audit readiness.
Helps prevent use of unauthorized or tampered artifacts.
Cons:
May add complexity to build and packaging processes.
Requires consistent maintenance of provenance standards.
Default value:
By default, many build systems do not automatically embed detailed provenance metadata in artifacts.
Audit:
Inspect artifacts to confirm presence of provenance information such as version identifiers, build timestamps, and builder identity. Review build pipelines for metadata generation steps.
Remediation:
Integrate provenance metadata generation into build processes using tooling or scripts. Define standards for required metadata fields and enforce their inclusion. Train build and release teams on provenance practices.
References:
The Update Framework (TUF) - Software Supply Chain Security: https://theupdateframework.io/
Software Package Data Exchange (SPDX): https://spdx.dev/
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/