Store all forms of code – including source code, executable code, and configuration-as-code – based on the principle of least privilege so that only authorized personnel, tools, services, etc. have access.

Store all source code and configuration-as-code in a code repository, and restrict access to it based on the nature of the code. For example, open source code intended for public access may need its integrity and availability protected; other code may also need its confidentiality protected.

Store all forms of code – including source code, executable code, and configuration-as-code – based on the principle of least privilege so that only authorized personnel, tools, services, etc. have access.

Use version control features of the repository to track all changes made to the code with accountability to the individual account.

Store all forms of code – including source code, executable code, and configuration-as-code – based on the principle of least privilege so that only authorized personnel, tools, services, etc. have access.

Use commit signing for code repositories to sign code.

Store all forms of code – including source code, executable code, and configuration-as-code – based on the principle of least privilege so that only authorized personnel, tools, services, etc. have access.

Have the code owner review and approve all changes made to the code by others.

Store all forms of code – including source code, executable code, and configuration-as-code – based on the principle of least privilege so that only authorized personnel, tools, services, etc. have access.

Use cryptography (e.g., cryptographic hashes) to help protect file integrity

Make software integrity verification information available to software acquirers.

Post cryptographic hashes for release files on a well-secured website.

Make software integrity verification information available to software acquirers.

Use an established certificate authority for code signing so that consumers’ operating systems or other tools and services can confirm the validity of signatures before use. Periodically review the code signing processes, including certificate renewal, rotation, revocation, and protection.

Securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data) to be retained for each software release.

Store the release files, associated images, etc. in repositories following the organization’s established policy. Allow read-only access to them by necessary personnel and no access by anyone else.

Securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data) to be retained for each software release.

Store and protect release integrity verification information and provenance data, such as by keeping it in a separate location from the release files or by signing the data.

Collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a Software Bill of Materials (SBOM)).

Make the provenance data available to software acquirers in accordance with the organization’s policies, preferably using standards-based formats.

Collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a Software Bill of Materials (SBOM)).

Make the provenance data available to the organization’s operations and response teams to aid them in mitigating software vulnerabilities.

Collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a Software Bill of Materials (SBOM)).

Protect the integrity of provenance data, and provide a way for recipients to verify provenance data integrity.

Collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a Software Bill of Materials (SBOM)).

Update the provenance data every time any of the software’s components are updated.