Do you perform binary composition analysis of the final package?

Binary software composition analysis tools can investigate what exactly is included in the final deliverables and identify potential issues in the final packages.

Reference: ESF SECURING THE SOFTWARE SUPPLY CHAIN. Recomended Practices for Developers - 2.5.1 Final Package Validation.

The final package or update to be delivered to a customer may have issues that expose the developer and customers to cybersecurity and privacy risks. For example, it may contain confidential information (e.g., hard coded credentials, personal data), open source software license issues, and components included in files with unknown origin. Moreover, the deliverable may have been built with improper compiler options or build settings.

The check looks for automatic scanning of packages in the release pipeline.

Ensure automatic scanning of packages for vulnerabilities is enabled at the release branch.

Set automatic scanning of packages for vulnerabilities at the release branch.