2.4.6 Ensure pipeline steps sign the Software Bill of Materials (SBOM) produced

ID

cis_sscs/steps_sbom

Severity

low

Category

build_pipelines/pipeline_integrity

Levels

Optional

true

Tags

sbom, security, slsa-1, slsa-2, slsa-3, slsa-4, supply-chain

Description

SBOM (Software Bill of Materials) is a file that specifies each component of software or a build process. It should be generated after every pipeline run. After it is generated, it must then be signed. You can configure tools or run commands to check for workflows uses tools to verify this. The parameter are tools and commands.

Rationale

Software Bill of Materials (SBOM) is a file used to validate the integrity and security of a build pipeline. Signing it ensures that no one tampered with the file when it was delivered. Such interference can happen if someone tries to hide unusual activity. Validating the SBOM signature can detect this activity and prevent much greater incident.

Verification

For each pipeline, ensure it signs the Software Bill of Materials it produces on every run.

Remediation

For each pipeline, configure it to sign its produced Software Bill of Materials on every run.