Do you track all third-party components you use directly and all internal components in a secure and persistent repository?

Both third-party and proprietary components must be stored and consumed from trusted repositories. That repositories should be placed internally if possible and be handle only by administrators.

Reference: ESF SECURING THE SOFTWARE SUPPLY CHAIN. Obtain Components from a Known and Trusted Supplier (2.3.3).

When the organization makes decisions concerning selection, use, changes, or updates of thirdparty or open-source software for its products, it should perform a risk assessment and ensure the residual risks are acceptable.

One key point related to store thirdparty, open source or internally develop components in a secure repository, and all artifacts were analyzed and determined if risk is acceptable before included.

For example, whenever possible, images should be built from the source and not downloaded from the internet, unless there is an understanding of the provenance and trust of delivery, then upload to internal secure repository to be consumed from application lifecycle.

Initially the check identify untrusted public repositories configure by default, it could be changed in checkpoint configuration file to add other public untrusted repositories, or add in trusted private repositories. When any private repository is declared, the public repository list does not take effect.

Following package managers and repositories are analyzed: