Dependency Management #
TLDR: Every dependency is defined securely, managed, and auditable
Rationale: Inputs to the build process can introduce security and quality issues, and as such must be defined, controlled, and transparent as part of the software development lifecycle.
Background #
Key points:
- You must have control over what dependencies are packaged in your software
- All dependencies must comply with licensing requirements
- Must only use software with licences agreed by AcmePay
Dependencies can include docker base images, 3rd-party libraries, and other source code.
During build, these inputs to the build package can be recorded as the software bill-of-materials while recording binary provenance