Trust Center

Build Security

Security controls for build processes, artifact integrity, and deployment evidence.

Build Process

1. Code checkout from versioned repositories with signed commits and GPG verification.
2. Isolated build environment in containerized pipelines without persistent network access.
3. Automated SAST/SCA scanning as well as linting prior to artifact creation.
4. Signing and hashing of build artifacts with upload to an immutable artifact repository.

Artifact Integrity

All build artifacts are hashed using SHA-256 and the checksum is stored in the artifact repository.
Each artifact is signed with a private code-signing certificate; the signature is verified before deployment.
The build pipeline logs hash, signature, and metadata (source commit, builder ID, timestamp) in a tamper-protected log.
A regular re-hash comparison checks the integrity of stored artifacts against the original checksums.

Deployment Evidence

Each deployment process generates a structured evidence package containing build hash, signature validation result, and target environment.
The evidence package is automatically stored in the evidence management system and linked to the DORA bridge evidence process.
Deployments are authorized by a separate change management board; authorization is recorded in the audit trail.
Traceability from source commit through build artifact to production deployment is fully assured.

Build Recommendations

composer: Fixed versions in composer.lock, --no-dev for production, --optimize-autoloader, --classmap-authoritative.
composer: Regular composer audit in CI; use Satis or Private Packagist for internal packages.
npm: Package pinning via package-lock.json, --ignore-scripts for production builds, npm audit in the CI pipeline.
npm: Use npm ci instead of npm install for deterministic installs without deviations.
CI Pipeline: Verify package signatures and SHA checksums of all external dependencies before installation.

ISO 27001 Verbindung

ISO/IEC 27001:2022 Build Security Control Reference

A.5.1 Leadership and strategy
A.5.31 Documented information (control)
A.5.36 Documentation and reporting

ISO/IEC 27001:2022 dient als Kontrollanker und Management-System-Referenz. Die Verbindung zu ISO 27001 unterstützt integrierte Resilienz- und Sicherheitsprogramme.

Reifegrad

1 Initial

Ad-hoc-Ansätze, keine formalen Prozesse
2 Defined

Formale Prozesse definiert, aber nicht durchgängig umgesetzt
3 Implemented

Prozesse vollständig umgesetzt und dokumentiert
4 Monitored

Prozesse werden überwacht und gemessen
5 Optimized

Kontinuierliche Verbesserung und Anpassung

Quellen und Stand

Review-Status: reviewed
Letzte Prüfung: 2026-06-18

ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection Stand: 2022-10
SLSA (Supply-chain Levels for Software Artifacts) Stand: Retrieved 2026-06-18
OpenSSF Scorecard – Security Health Metrics Stand: Retrieved 2026-06-18

Diese Seite ist eine eigene Umsetzungshilfe auf Basis öffentlicher Quellen. Sie ersetzt keine Rechtsberatung und keine verbindliche Auslegung durch Aufsicht oder Rechtsberatung.