Profile Applicability:
Level 1
Description:
The build pipeline must be designed and configured to produce reproducible artifacts, meaning that given the same source code and build environment, the output artifacts are identical each time. Reproducible builds enable verification of artifact integrity and facilitate reliable debugging and auditing.
Rationale:
Reproducible artifacts strengthen supply chain security by preventing undetected modifications and ensuring that builds can be independently verified. They support trust in software releases and compliance with security and quality standards.
Impact:
Pros:
Enables verification of build integrity.
Facilitates debugging and incident response.
Enhances software supply chain security.
Supports compliance and auditability.
Cons:
May require strict control over build environments and dependencies.
Could increase build complexity and maintenance overhead.
Default value:
Many build systems produce non-reproducible artifacts by default, causing potential trust and verification challenges.
Audit:
Review build configurations for reproducibility controls. Verify artifact checksums from multiple builds are identical.
Remediation:
Implement build environment standardization and use reproducible build tools. Document build processes and train teams on reproducibility practices.
References:
Reproducible Builds Project: https://reproducible-builds.org/
The Update Framework (TUF): https://theupdateframework.io/
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/