Defined Toolchain

Introduction

Scripted builds that operate in a temporary and controlled environment are more resistant to supply chain attacks. We use unchangeable Docker images for the build environment. This helps with easy auditing, improves security checks, and ensures everything is properly tracked. Additionally, it supports thorough security scanning and effective version control.

Implementation of this control

Our official builds occur in Bitbucket pipelines defined as code. Each step runs in an immutable container, and each build fingerprint is stored using Binary Provenance.