A build process include more than just compiling your source code. It also includes steps such as managing (third party) dependencies, environment configuration, running the unit tests, etc. A defined build process has automated these steps to ensure consistency. This can be done with a Jenkinsfile, Maven, or similar tools.
Risk: Performing builds without a defined process is error prone; for example, as a result of incorrect security related configuration.
While building and testing artifacts, third party systems, application frameworks and 3rd party libraries are used. These might be malicious as a result of vulnerable libraries or because they are altered during the delivery phase.
Risk: While building and testing artifacts, third party systems, application frameworks and 3rd party libraries are used. These might be malicious as a result of vulnerable libraries or because they are altered during the delivery phase.
Pinning of artifacts ensure that changes are performed only when intended.
Risk: Unauthorized manipulation of artifacts might be difficult to spot. For example, this may result in using images with malicious code. Also, intended major changes, which are automatically used in an image used might break the functionality.
SBOM (Software Bill of Materials) is a document that lists all components, libraries, and dependencies used in a software application or container image. Creating an SBOM during the build process can help ensure transparency, security, and license compliance for your application.
Risk: In case a vulnerability of severity high or critical exists, it needs to be known where an artifacts with that vulnerability is deployed with which dependencies.
Digitally signing commits helps to prevent unauthorized manipulation of source code.
Risk: Execution or usage of malicious code or data e.g. via executables, libraries or container images.
To perform a push to a GitHub repository, you must be authenticated. It's important to note that GitHub does not verify if the authenticated user's email address matches the one in the commit. To clearly identify the author of a commit for reviewers, commit signing is recommended. GitHub actions such as semantic-release-action do not automatically sign commits and may encounter issues as a result. To address this, you can refer to a working configuration example in the workflow folder of DSOMM, which demonstrates how to use semantic release action in conjunction with planetscale/ghcommit-action. For added security, consider using Fine-grained personal access tokens provided by your organization for a specific repository. Store the Personal Access Token (PAT) as a secret in your project.
Risk: Execution or usage of malicious code or data e.g. via executables, libraries or container images.