v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/github_compliance
Overview
2Dashboards
37Controls
33Queries
2Variables
GitHub

Control: 2.4.6 Ensure pipeline steps sign the SBOM produced

Description

An SBOM is a file that specifies each component of software or a build process. It should be generated after every pipeline run. After it is generated, it must then be signed.

Rationale

An SBOM is a file used to validate the integrity and security of a build pipeline. Signing it ensures that no one tampered with the file when it was delivered. Such interference can happen if someone tries to hide unusual activity. Validating the SBOM signature can detect this activity and prevent much greater incident.

Audit

For each pipeline, ensure it signs the SBOM it produces on every run.

Remediation

For each pipeline, configure it to sign its produced SBOM on every run.

Usage

Run the control in your terminal:

powerpipe control run github_compliance.control.cis_supply_chain_v100_2_4_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run github_compliance.control.cis_supply_chain_v100_2_4_6 --share

SQL

This control uses a named query:

default_branch_pipeline_must_have_jobs_with_sbom_generation

Tags

category = Compliance
cis = true
cis_section_id = 2.4
cis_supply_chain_v100 = true
cis_type = automated
cis_version = v1.0.0
plugin = github
service = GitHub