|
|
|
|
|
|
by viccuad
1495 days ago
|
|
|
part of the supply chain is your source forge and builders. On GitHub, you can point the builders to your own infra.. and then maybe check cryptographically that all source code that lands on the builder is correctly signed and trusted. But it's nearly impossible to do that for the forge itself (GitHub). I recommend https://slsa.dev (vendor-neutral effort from the Linux Foundation) for a better picture of a secure supply chain. |
|
|