1.2 Protect the Software (PS)

Store all forms of code – including source code, executable code, and configuration-as-code – based on the principle of least privilege so that only authorized personnel, tools, services, etc. have access.

Store all source code and configuration-as-code in a code repository, and restrict access to it based on the nature of the code. For example, open source code intended for public access may need its integrity and availability protected; other code may also need its confidentiality protected.

Provides a centralized source code repository with access control, auditability, and workflow enforcement supporting SSDF practices for secure code management and change control.

Delivers integrated source control, CI/CD, and security workflows that enable SSDF-aligned governance, traceability, and secure development processes.

Supports SSDF by managing source code with role-based access, commit integrity options, and mandatory review workflows.

Hosts and distributes open-source projects with version control and release management supporting SSDF requirements for code provenance and transparency.

Provides centralized version control enabling SSDF practices for change tracking, audit trails, and controlled access to source code.

Enables immutable history, traceability, and distributed development workflows foundational to SSDF source integrity and accountability.

Offers Git-based repository hosting with access control and collaboration features supporting SSDF secure development governance.

Provides lightweight, self-hosted Git repositories that support SSDF requirements for controlled source management and auditability.

Strengthens SSDF compliance by enforcing cryptographic policies and verifiable trust metadata over Git repositories and workflows.

Ensures SSDF-aligned source integrity by cryptographically verifying the identity of commit authors.

Enables SSDF-aligned artifact and commit verification through keyless, auditable cryptographic signing and transparency logs.

Enforces SSDF role separation and accountability by requiring designated owners to review and approve code changes.

Supports SSDF secure development by enforcing peer review, policy checks, and approval gates before code integration.

Implements SSDF responsibility assignment by automatically routing changes to accountable reviewers.

Establishes SSDF-aligned review standards that reduce defects and security risks prior to merging code.

Make software integrity verification information available to software acquirers.

Post cryptographic hashes for release files on a well-secured website.

Supports SSDF by ensuring that Apache software releases are cryptographically signed and verifiable, establishing trusted provenance and protecting against tampered distribution artifacts.

Provides SSDF-aligned cryptographic mechanisms for signing and verifying code and artifacts to ensure authenticity, integrity, and non-repudiation.

Implements OpenPGP standards to enable SSDF practices for signing source code, commits, and releases with verifiable developer identity.

Supports SSDF secure delivery by issuing free, automated TLS certificates that protect software distribution channels and developer services from interception and tampering.

Enables SSDF compliance by providing an open-source PKI for managing certificates used to authenticate developers, systems, and software artifacts.

Supports SSDF trust and identity requirements by issuing and managing digital certificates for secure software signing and infrastructure authentication.

Provides SSDF-aligned certificate lifecycle management to establish, audit, and enforce trust across software development and release pipelines.

Enables SSDF automation of cryptographic identity by issuing short-lived certificates for developers, CI/CD systems, and software signing workflows.

Securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data) to be retained for each software release.

Store the release files, associated images, etc. in repositories following the organization’s established policy. Allow read-only access to them by necessary personnel and no access by anyone else.

Enforces SSDF role-based access control by restricting who can view, modify, or administer source code repositories.

Supports SSDF governance by defining granular roles that enforce least privilege and separation of duties across the SDLC.

Implements SSDF organizational controls by standardizing permission levels across teams and repositories.

Implements SSDF organizational controls by standardizing permission levels across teams and repositories.

Extends SSDF controls beyond source code by enforcing access, traceability, and accountability over deployed software, SBOMs, and live environment metadata through a deployment-centric digital twin.

Collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a Software Bill of Materials (SBOM)).

Make the provenance data available to software acquirers in accordance with the organization’s policies, preferably using standards-based formats.

Supports SSDF by automatically generating and maintaining accurate software bills of materials that improve component visibility and vulnerability traceability across the SDLC.

Enables SSDF-aligned component transparency by providing a standardized SBOM format optimized for security, integrity, and risk analysis.

Support SSDF practices by uniquely identifying installed software components to enable asset inventory, provenance tracking, and vulnerability correlation.

Provides an SSDF-compliant standard for documenting software components, licenses, and relationships to support supply-chain transparency and compliance.

Supports SSDF SBOM consumption by validating, querying, and managing SBOMs throughout build and release workflows.

Enables SSDF vulnerability detection by identifying known CVEs in third-party dependencies during development and build phases.

Supports SSDF risk management by continuously analyzing SBOMs to monitor component vulnerabilities and policy compliance.

Contributes to SSDF by scanning container images for known vulnerabilities prior to deployment.

Supports SSDF secure build practices by detecting known vulnerabilities in container images and file systems using SBOM data.

Extends SSDF beyond build time by correlating and aggregating SBOMs, vulnerabilities, and deployment metadata to identify which live environments are actually at risk.

Supports SSDF interoperability by providing reusable libraries and tools for generating and transforming SBOMs across formats.

Enables SSDF component discovery by generating SBOMs from source code, containers, and runtime artifacts.

Supports SSDF SBOM sharing and discovery by enabling secure distribution and retrieval of SBOM artifacts.

Contributes to SSDF transparency by analyzing container images to produce detailed component inventories and SBOMs.

Supports SSDF secure development by scanning for vulnerabilities, misconfigurations, and exposed secrets across code and artifacts.

Enables SSDF compliance validation by verifying the integrity and authenticity of open-source artifacts.

Supports SSDF provenance by enabling cryptographically verifiable signing of artifacts and SBOMs with transparency logs.

Contributes to SSDF trust by providing cryptographic proof of data integrity for externally retrieved security and dependency metadata.

Enables SSDF automation by embedding security checks, SBOM generation, and policy enforcement directly into CI workflows.

Jenkins is a fully open-source automation server, released under the MIT License, with an extensible plugin ecosystem governed by the Jenkins community and widely used to implement SSDF-aligned CI/CD security controls.

Supports SSDF remediation by automating dependency, configuration, and policy updates in a controlled and auditable manner.

Enables SSDF secure maintenance by automatically updating vulnerable dependencies while preserving review and approval controls.