Defined Toolchain #
TLDR: Build environments must be defined securely and auditable
Rationale: A secure build environment is the foundation for a mitigating software supply chain attacks. Build environments defined as code protect against interference that can happen in the build and distribution processes.
Background #
Builds that are scripted, ran in an ephemeral and controlled build environment are more resilient against supply chain attacks. If at all possible, we recommend teams use immutable docker images to define the build environment. This enables auditing of the build environment, as well as security scanning and version control.
You can learn more about build security levels defined in the slsa specification.