Profile Applicability:
Level 1
Description:
All steps involved in the build process must be defined explicitly as code using pipeline configuration files or scripts (e.g., YAML, JSON, or DSL). Defining build steps as code ensures repeatability, version control, and transparency in the build process.
Rationale:
Defining build steps as code enables automated builds, reduces manual errors, and facilitates auditing and change management. It supports infrastructure-as-code principles and promotes collaboration and consistency across development teams.
Impact:
Pros:
Enhances build process reproducibility and reliability.
Provides traceability through version control.
Simplifies maintenance and updates.
Supports automated auditing and compliance.
Cons:
Requires initial setup and ongoing maintenance of pipeline code.
May involve learning curve for build scripting or configuration languages.
Default value:
Some organizations may rely on manual or GUI-based build configurations lacking code versioning.
Audit:
Review repository contents and pipeline configurations to confirm all build steps are codified. Check version control history for build pipeline changes.
Remediation:
Migrate manual build steps to code-based pipeline definitions. Implement CI/CD tools supporting pipeline-as-code. Train teams on best practices for build scripting.
References:
Jenkins Pipeline as Code: https://www.jenkins.io/doc/book/pipeline/
GitHub Actions Workflow Syntax: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
CIS Controls v8, Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/