Build Package Functional Component

Shall be the authoritative source for all Build Packages (often referred to as an artifact/build repository) including, for example, container images

Shall manage the lifecycle of all Build Packages from registration to archiving and clean-up of build artifacts

Shall secure the Build Packages for unauthorized access and unauthorized changes

Shall maintain a full audit trail of all additions and modifications in Build Packages and their components

May receive Build Packages and artifacts from external sources, such as third-party vendors and open-source libraries

Shall receive the Build Package from the Pipeline for a particular Digital Product or product component

Shall associate the Build Package with the Pipeline through which the Build Package is created

Shall ensure that all Build Packages (e.g., container images) are safe to deploy

Shall maintain a bill of materials for all components (and artifacts) that are part of a Product Release (including dependencies and references to third-partly libraries and components)

Shall scan and verify all Build Packages (and their components and dependencies) for potential security issues, compliance issues, and vulnerabilities (prior to deployment)

Shall associate one or many Build Packages to one or many Test Plans which are executed as part of the Build Package registration; for example, to perform a Software Composition Analysis (SCA) for all software packages and containers for vulnerabilities and software license compliance issues