The CHAINS software supply chain recommendations

# The CHAINS software supply chain recommendations

Based on our readings and research, we came to the following conclusions.

– The Chains team

CHAINS Recommends

CHAINS recommendations are meant to be directly applicable, with state of the art solutions.

CHAINS recommends designing, implementing and enforcing reproducible builds
CHAINS recommends the usage of dependency pinning, via hashes.
- In NPM, this means using lockfiles.
- In Maven, this mean strict versions in the pom + Maven lockfile.
CHAINS recommends the usage of automated dependency bots such as Renovate and Dependabot.
CHAINS recommends the usage of static vulnerability scanners on all commits of the main branch. This contributes to protect against insider attacks (eg xz).
CHAINS recommends disabling dynamic evaluation of code (aka eval) in production
- In NodeJS, this is --disallow-code-generation-from-strings doc

These items are harder to achieve than the recommendations above, because of lack of maturity.

CHAINS encourages transparency logs over releases/packages
CHAINS encourages using functional package managers in CI (Guix, NIX)
CHAINS encourages automated publication of SBOMs as part the release process (tutorial for Github release)
CHAINS encourages source-based package registries, such as Go. This increases transparency and auditability, and reduces the attack surface of malicious tampering.

This site is open source. Improve this page.