ActiveState's 2023 Software Supply Chain Security Survey

Part 1 / 4 Source Code Integrity

We ensure all code is tracked in a version control system

We verify the revision history (ie., verify timestamp and the author/uploader)

We indefinitely keep a complete history of all revisions

We implicitly trust the repository

Not sure

Other (please specify)

Yes, verifying Provenance Attestations is part of our automated import pipeline

Sometimes we verify Provenance Attestations when required by security or for suspicious packages

No, we don't verify Provenance Attestations yet, but we are planning to

No, we don't verify Provenance Attestations and have no plans to

Don't know/ never heard of it