NIST SSDF: PS — Provenance / SBOM Recorded

error

ssdf_ps_provenance_recorded

secure-development security pure_temporal secure-developmentnistssdfsupply-chainpsrag-red

Provenance data (e.g. an SBOM) for each release is recorded (PS.3).

Formula

G(Release → P(provenance_recorded))

SSDF PS.3: archive and protect each software release, and collect provenance data (such as a software bill of materials).

passes the practice's evidence is present

fails the required secure-development step is absent

ponens policies add ssdf_ps_provenance_recorded --into ./trace.json
ponens trace check ./trace.json