PS Product SecurityKnowledge Base

Secure Build Factory Control Checklist

  • Protected branches and workflow files
  • Dedicated or ephemeral trusted runners for release builds
  • Artifact digests retained and referenced in approvals
  • SBOM generated for release artifacts
  • Provenance / attestation generated by the builder
  • Signing done with KMS/HSM or keyless trust path
  • Deployment approval tied to digest and evidence pack
  • Break-glass deployments logged with explicit exception record