# The CHAINS software supply chain recommendations
Based on our readings and research, we came to the following conclusions.
– The Chains team
CHAINS Recommends
CHAINS recommendations are meant to be directly applicable, with state of the art solutions.
- CHAINS recommends designing, implementing and enforcing reproducible builds
- CHAINS recommends the usage of dependency pinning, via hashes.
- CHAINS recommends the usage of automated dependency bots such as Renovate and Dependabot.
- CHAINS recommends the usage of static vulnerability scanners on all commits of the main branch. This contributes to protect against insider attacks (eg xz).
- CHAINS recommends disabling dynamic evaluation of code (aka eval) in production
- In NodeJS, this is
--disallow-code-generation-from-strings
doc
CHAINS Encourages
These items are harder to achieve than the recommendations above, because of lack of maturity.
- CHAINS encourages transparency logs over releases/packages
- CHAINS encourages using functional package managers in CI (Guix, NIX)
- CHAINS encourages automated publication of SBOMs as part the release process (tutorial for Github release)
- CHAINS encourages source-based package registries, such as Go. This increases transparency and auditability, and reduces the attack surface of malicious tampering.