UnixTime

Research Note

Development Tool and Library Integrity Checklist

Use this checklist to review compilers, build tools, CI/CD runners, package sources, dependency registries, and library integrity controls.

On this page

When to use this

Use this checklist to review compilers, build tools, CI/CD runners, package sources, dependency registries, and library integrity controls.

Checklist

  • Development tools are approved and obtained from trusted sources.
  • CI/CD runners and build agents are access-controlled.
  • Dependency registries or mirrors are approved.
  • Package/library integrity checks are used where available.
  • Code signing or release signing is used where justified.
  • Build tool administrators are reviewed.
  • Production systems do not host development tools unless justified.
  • Build logs and artifacts are retained according to policy.

Review table

Tool/library/source Owner Trusted source? Access controlled? Integrity check Gap/action
TBD TBD Yes/No Yes/No TBD TBD
  • Template
  • Iso27001
  • Technological controls
  • Secure development

Note Metadata

Aliases: Build Tool Integrity Checklist, Software Library Integrity Checklist

Source: 90 Templates/Development Tool and Library Integrity Checklist.md