PS.1.1: Store all forms of code including source code, executable code, and configuration-as-code based on the principle of least privilege so that only authorized personnel, tools, services, etc. have access.

Sign and verify container images, binaries, and other artifacts.

Immutable public transparency log for signatures and metadata.

End-to-end supply chain verification to ensure deployed artifacts came from trusted sources.

Sign and verify any file type, including tarballs and configuration files.

Container registry with built-in vulnerability scanning, content signing, and RBAC.

Secure artifact repository with access controls.

Manages binary repositories with fine-grained permissions.

Monitors filesystem for unauthorized changes.

Creates a baseline of files and detects alterations.

Detects suspicious activity in Kubernetes or container environments, including file changes.

Enforces role-based policies for container image deployment.

Centralized authentication/authorization for artifact registries and CI/CD systems.

SIEM platform that monitors access logs and alerts on anomalies.

Tracks which version of a service is deployed where, and links to its signed SBOM.

Generates SBOMs for deployed artifacts for later verification.

Monitors components in deployed artifacts against CVE feeds.

Container registry with image retention policies, RBAC, and content trust.

Artifact repository for storing binaries and dependencies.

Binary management with retention and access control.

Tag and store release binaries, SBOMs, and checksums.

Sign and verify container images, SBOMs, and other artifacts.

Immutable transparency log for all signed artifacts and metadata.

Sign and verify tarballs, binaries, or SBOM files.

Provide end-to-end build provenance verification.

Maps deployed services to specific versions and their SBOMs.

Generates SBOMs from deployed artifacts.

Continuously monitors SBOMs for new CVEs in preserved releases.

Filesystem integrity checker to detect changes in stored artifacts.

Baseline and monitor stored release directories for modifications.

SIEM that audits artifact repository activity.

Linux-level auditing for access to preserved release files.

Restrict who can upload or modify artifacts in registries.

PS.3.1: Securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data) to be retained for each software release.

PS.3.2: Collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a software bill of materials [SBOM]).

Generate SBOMs from deployed containers, VMs, or file systems (SPDX & CycloneDX formats).

Create SBOMs and scan for vulnerabilities in deployed systems.

Record build steps and supply chain metadata as signed “link” files.

Capture build and deployment provenance as signed attestations.

Sign SBOMs and metadata for offline or private distribution.

Store signatures and attestations in an immutable, public transparency log.

Detect unauthorized changes in locally stored provenance archives.

Detect unauthorized changes in locally stored provenance archives.

Version and track deployed services and their SBOMs; link them to environments and releases. API/UI access for sharing SBOM and component history for specific releases.

Continuously monitor preserved SBOMs for new CVEs.

Attach SBOMs and signatures to container images in a registry.

Host and validate SBOMs in a web-accessible interface.