Dependency Management

Dependency Management #

TLDR: Every dependency is defined securely, managed, and auditable
Rationale: Inputs to the build process can introduce security and quality issues, and as such must be defined, controlled, and transparent as part of the software development lifecycle.

Background #

Key points:

  • You must have control over what dependencies are packaged in your software
  • All dependencies must comply with licensing requirements
  • Must only use software with licences agreed by AcmePay

Dependencies can include docker base images, 3rd-party libraries, and other source code.

Dependency Management

During build, these inputs to the build package can be recorded as the software bill-of-materials while recording binary provenance

© Kosli 2023, all rights reserved
CCPA Do not sell my info