Dependency Management

Dependency Management #

TLDR: Every dependency is defined securely, managed, and auditable
Rationale: Inputs to the build process can introduce security and quality issues, and as such must be defined, controlled, and transparent as part of the software development lifecycle.

Background #

Key points:

  • You must have control over what dependencies are packaged in your software
  • All dependencies must comply with licensing requirements
  • Must only use software with licences agreed by Stacc

Dependencies can include docker base images, 3rd-party libraries, and other source code.

Dependency Management

During build, these inputs to the build package can be recorded as the software bill-of-materials while recording binary provenance

Forked from https://www.devopsctl.com and maintained by
© Stacc 2024, all rights reserved