Chapter 3. Checklist

Codify how you raise bars safely and reproducibly.

Gates & Ratcheting

Ratcheting plan: What’s your 6-week path from WARN→ENFORCE? (document week-by-week)
Exit codes: Which tools produce non-zero exit on gate fail (Trivy, Semgrep, Checkov)? Who can override?

Base Images & Digests

Golden base: Which base images are allowed per language? (e.g., distroless, alpine)
Digest pinning: Will you pin digests for base & runtime? Where are pins recorded/updated?
Update cadence: Who bumps base images and how often (weekly, monthly)?

Signing & Provenance

Signing mode: Offline blob signing vs registry signature — which is feasible in your environment?
Keys: Who holds cosign.key/cosign.pub? How are they backed up/rotated?

SBOM Diff & Licenses

Diff trigger: On release candidate or every merge to main?
License allowlist: What is your current allow/deny? Who approves exceptions?

Mirrors & Caching

Dependency mirrors: Will you run a local Go proxy (and/or npm cache)? Who owns uptime/space?
Air-gapped plan: If internet egress is cut, can builds still succeed with mirrors + pinned bases?

Promotion & Evidence

Promotion rule: Define “promote on pass” criteria (which gates must be green).
Evidence bundling: Who packages evidence ZIPs and where are they archived?

© 2025 Ask AppSec.