Supply Chain Security

**Tags:** #Process #OPSEC > [!info] > This information is shared as part of Decombine's commitment to [[Open Core]] practices. ## Software Decombine's software supply chain can be broken down into the following major categories: ### Source control Decombine source code is centrally stored and maintained on [GitHub](https://github.com) in the Decombine organization. Source code repositories within the Decombine organization are private by default and limited to internal employees and contractors based on Role Based Access Control (RBAC). GitHub authentication is integrated with our identity access management (IAM) solution Azure Active Directory (AAD) via SAML which mandates Multi-Factor Authentication (MFA) using FIDO tokens or an authenticator application such as Microsoft Authenticator. Access to GitHub Single Sign On (SSO) is further constrained by membership in specific groups. ### Release process Decombine source code release is centrally performed through GitHub Actions which are stateless containers or virtual machines that check out the source code from GitHub repositories and perform specific processes which are automated in YAML files. GitHub Actions are tied to the "main" branch of each repository which are controlled through a Pull Request review process which requires principal technical leadership to authorize. GitHub Actions securely communicate with Azure cloud using Open ID Connect (OIDC) tokens which federate identity and permissions between Decombine's GitHub repositories and a service principal application in Azure. There are no passwords or secrets used in this process, ensuring secrets cannot be leaked during execution. ### Software dependencies Decombine software dependencies are maintained in each respective GitHub repositories using centralized package manifests by programming language. Each package manifest is continuously analyzed for vulnerabilities by two separate security systems: 1. GitHub Enterprise Dependabot 2. Microsoft Defender for Cloud Vulnerabilities surfaced through these automatic scans are centralized for resolution on a daily recurring schedule.