Build Package Functional Component

id EAID C92C7BCA A61A 42a8 B2B5 F079DB9E6BF1
Figure 1. Build Package Functional Component Model


The Build Package functional component is the authoritative source for all Build Packages and associated build artifacts. It receives the Build Package and any associated artifacts from the Pipeline functional component.

The Build Package functional component is the single source for the various types of Build Packages including software builds, infrastructure images, container images, etc.

The Build Package functional component supports the Integrate value stream.

Functional Criteria

The Build Package functional component:

  • Shall be the authoritative source for all Build Packages (often referred to as an artifact/build repository) including, for example, container images

  • Shall manage the lifecycle of all Build Packages from registration to archiving and clean-up of build artifacts

  • Shall secure the Build Packages for unauthorized access and unauthorized changes

  • Shall maintain a full audit trail of all additions and modifications in Build Packages and their components

  • May receive Build Packages and artifacts from external sources, such as third-party vendors and open-source libraries

  • Shall receive the Build Package from the Pipeline for a particular Digital Product or product component

  • Shall associate the Build Package with the Pipeline through which the Build Package is created

  • Shall ensure that all Build Packages (e.g., container images) are safe to deploy

  • Shall maintain a bill of materials for all components (and artifacts) that are part of a Product Release (including dependencies and references to third-partly libraries and components)

  • Shall scan and verify all Build Packages (and their components and dependencies) for potential security issues, compliance issues, and vulnerabilities (prior to deployment)

  • Shall associate one or many Build Packages to one or many Test Plans which are executed as part of the Build Package registration; for example, to perform a Software Composition Analysis (SCA) for all software packages and containers for vulnerabilities and software license compliance issues