Do you use the toolchain to automatically gather information that informs security decision-making?

ID

esf_s3c_dev/sscs_tool_in_use

Severity

high

Category

Levels

Optional

false

Tags

SSDF-PO.4.2, security, supply-chain, testing

Description

Do you use the toolchain to automatically gather information that informs security decision-making?

Use a tool that automate the collection of information about security decision making, the current state and changes that affect security at SDLC supply chain.

Reference: ESF SECURING THE SOFTWARE SUPPLY CHAIN. Build Chain Exploits (2.4.1).

Rationale

Software Supply Chain security issues and attacks has been increased as the software release cycles time is reduced due to faster pace of business. A criteria for Secure Software Supply Chain should be define and use as part of the SDLC, in order to support the criteria an automation process to gather and validate current security state and security changes is required to implements that practice at scale and reduce human effort.

Verification

The check looks for execution of known Software Supply Chain Secure (SSCS) tools in the recent merged PRs, or the usage of these tools in CI workflows.

Remediation

  • Run SSCS tool(s) in your CI/CD workflow.

  • Xygeni Scanner is a tool for running scans on software projects, aimed at detecting issues related with the software supply-chain security.

Small Print

There are many SAST tools and ways of invoking them, and it is challenging for an automated tool to detect them all. A FAIL result is therefore not a definitive indication that the project is at risk.