Ultimate access to all questions.
Upgrade Now 🚀
Sign in to unlock AI tutor
Your organization develops software involved in many open-source projects and is concerned about software supply chain threats. You need to generate build provenance to demonstrate that the software has not been tampered with.
What should you do?
A
Hire an external auditor to review and provide provenance.
Define the scope and conditions.
Get support from the Security department or representative.
Publish the attestation to your public web page.
B
Review the software process.
Generate private and public key pairs and use Pretty Good Privacy (PGP) protocols to sign the output software artifacts together with a file containing the address of your enterprise and point of contact.
Publish the PGP signed attestation to your public web page.
C
Publish the software code on GitHub as open source.
Establish a bug bounty program, and encourage the open source community to review, report, and fix the vulnerabilities.
D
Generate Supply Chain Levels for Software Artifacts (SLSA) level 3 assurance by using Cloud Build.
View the build provenance in the Security insights side panel within the Google Cloud console.
