Skip to content

Commit af3159f

Browse files
github-actions[bot]github-actions[bot]
committed
1 parent 6924f21 commit af3159f

1 file changed

Lines changed: 31 additions & 9 deletions

File tree

index.html

Lines changed: 31 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -187,6 +187,12 @@ <h2 id="specification">Specification</h2>
187187
<td>🟡</td>
188188
</tr>
189189
<tr>
190+
<td></td>
191+
<td>D405</td>
192+
<td>SBOM Generation</td>
193+
<td>🟡</td>
194+
</tr>
195+
<tr>
190196
<td>Analysis</td>
191197
<td>D501</td>
192198
<td>Static Code Analysis</td>
@@ -216,6 +222,12 @@ <h2 id="specification">Specification</h2>
216222
<td>Attached Reports</td>
217223
<td>🟡</td>
218224
</tr>
225+
<tr>
226+
<td></td>
227+
<td>D603</td>
228+
<td>Compliance Mapping &amp; Auditability</td>
229+
<td>🟡</td>
230+
</tr>
219231
</tbody>
220232
</table>
221233
<p><em>Proposed a new criteria?</em> Please <a href="https://github.com/devops-maturity/spec/issues">open an issue</a>.</p>
@@ -369,47 +381,57 @@ <h2 id="criteria-details">Criteria Details</h2>
369381
<tr>
370382
<td>D401</td>
371383
<td>Documented Build Process</td>
372-
<td>Provides a documented build process, including build steps or reproducibility.</td>
384+
<td>CI/CD build steps are version-controlled and documented.</td>
373385
</tr>
374386
<tr>
375387
<td>D402</td>
376388
<td>CI/CD as Code</td>
377-
<td>Supports CI/CD workflows defined as code, such as pipeline-as-code.</td>
389+
<td>Pipelines and infrastructure are defined as code (IaC, PaC).</td>
378390
</tr>
379391
<tr>
380392
<td>D403</td>
381393
<td>Artifact Signing</td>
382-
<td>Supports artifact signing to ensure authenticity and integrity.</td>
394+
<td>Build artifacts are cryptographically signed.</td>
383395
</tr>
384396
<tr>
385397
<td>D404</td>
386398
<td>Dependency Pinning</td>
387-
<td>Supports dependency pinning or version locking for reproducible builds.</td>
399+
<td>All dependencies are pinned to exact versions.</td>
400+
</tr>
401+
<tr>
402+
<td>D405</td>
403+
<td>SBOM Generation</td>
404+
<td>Automatically generate and manage Software Bill of Materials (SBOMs) using SPDX or CycloneDX.</td>
388405
</tr>
389406
<tr>
390407
<td>D501</td>
391408
<td>Static Code Analysis</td>
392-
<td>Supports static analysis tools like SonarQube, Polaris, or similar.</td>
409+
<td>Analyze code for vulnerabilities and bugs without executing it.</td>
393410
</tr>
394411
<tr>
395412
<td>D502</td>
396413
<td>Dynamic Code Analysis</td>
397-
<td>Supports dynamic analysis, including runtime behavior analysis or fuzz testing.</td>
414+
<td>Execute code in test environments to find runtime issues.</td>
398415
</tr>
399416
<tr>
400417
<td>D503</td>
401418
<td>Code Linting</td>
402-
<td>Supports code linting using tools like ESLint, Prettier, or pre-commit hooks.</td>
419+
<td>Enforce code style and formatting rules.</td>
403420
</tr>
404421
<tr>
405422
<td>D601</td>
406423
<td>Notifications &amp; Alerts</td>
407-
<td>Supports notification systems such as email or Slack alerts.</td>
424+
<td>Notify stakeholders on key CI/CD events.</td>
408425
</tr>
409426
<tr>
410427
<td>D602</td>
411428
<td>Attached Reports</td>
412-
<td>Supports attaching detailed reports to builds, like test results or coverage.</td>
429+
<td>CI/CD runs produce and attach structured test and analysis reports.</td>
430+
</tr>
431+
<tr>
432+
<td>D603</td>
433+
<td>Compliance Mapping &amp; Auditability</td>
434+
<td>Map controls to standards (e.g., SLSA, NIST, ISO 20243) and provide audit-ready reports.</td>
413435
</tr>
414436
</tbody>
415437
</table>

0 commit comments

Comments
 (0)