CC6.8 — Prevention and detection of unauthorised software
Status: Implemented Owner: Agent #38 (Senior Compliance Lead, SOC 2 + ISO 27001) Last reviewed: 2026-05-28 Next review: 2026-08-28
Trust Services Criteria reference
The entity implements controls to prevent or detect and act upon the introduction of unauthorised or malicious software to meet the entity's objectives. The control covers the supply-chain hygiene around third-party dependencies, the CVE monitoring, the integrity verification of cryptographic artefacts, and the host-level defences against malicious code execution.
How ZeroAuth meets this control
Three layers protect against unauthorised software entering the production runtime.
Layer 1: dependency-ADR discipline. Every new dependency requires an ADR per the dep-add skill (.claude/skills/dep-add/SKILL.md). The skill walks through (1) identify need, (2) survey alternatives, (3) supply-chain check (license, maintainer, downloads, CVEs, transitive runtime deps), (4) write ADR, (5) install, (6) commit. The scripts/check-dep-trail.sh script audits the dependency tree against /adr/ — every direct dep must trace to an ADR. The ADR-trail scan is one of the commit-time gates per 06-ways-of-working.md "Commit-time gates" §6.
Concrete ADR trail examples: ADR 0001 (adopt-express-rate-limit-as-direct-dep), ADR 0003 (adopt-playwright-for-e2e), ADR 0005 (adopt-nodemailer-for-smtp), ADR 0007 (iot-serialport-dependency), ADR 0008 (iot-snarkjs-poseidon-lite), ADR 0010 (android-webview-snarkjs-bundling), ADR 0012 (android-keystore-module-deps), ADR 0016 (zod-input-validation). The grandfathered initial deps are inventoried in ADR 0000.
Layer 2: nightly CVE monitor. scripts/cve-monitor.sh (commit f8a756c) scans the dependency tree against the GitHub advisory database. A high-severity finding pages the on-call rotation. The fixture-based regression guard tests/cve-monitor.test.ts (also commit f8a756c) — plus the vulnerable-lockfile fixture at tests/fixtures/vulnerable-lockfile/ — verifies the monitor itself doesn't drift silent. Closes audit finding C-14 ("No CVE monitoring; supply-chain attacks invisible until they bite").
Layer 3: cryptographic artefact integrity. ADR 0015 (commit 27ed93c) + commit e98d158 install a boot-time SHA-256 check on verification_key.json — the verifier refuses to start with a mismatched vkey. The mechanism prevents the "swapped vkey" class of unauthorised-software introduction (an attacker who can write to the vkey file cannot make the service accept it without also changing the SHA-256 constant in source). ADR 0015 §"What we do NOT support" explicitly rejects a --force flag.
For the Android prover: ADR 0010 (android-webview-snarkjs-bundling) + commit d18460f pin the prover-asset hashes in a Gradle gate — a tampered prover bundle fails the build. Server-side Play Integrity enforcement (commit 0224be4) on the /v1/proof-pairing/submit endpoint rejects submissions from devices that don't present MEETS_DEVICE_INTEGRITY + MEETS_BASIC_INTEGRITY. WebView process isolation (commit e2579df) bounds the impact of WebView-level compromise.
For docker artefacts: the Dockerfile is multi-stage (dev / test / api-build / dashboard-build / docs-build / production). The production stage installs production dependencies only; dev dependencies are isolated to earlier stages. Image-layer hashes are emitted by docker as part of the build.
The supply-chain story extends to the smart contracts. The contracts/ directory holds Solidity 0.8 sources; the deploy-addresses are pinned in contracts/deployed-addresses.json. The forthcoming Trail of Bits / equivalent audit (compliance roadmap D-Q2-08, weeks 16–24) is the third-party verification of contract integrity. The on-chain anchor (AuditAnchor contract, commit d6c6a4e) is the most-recently-added contract surface.
CI integrity itself: the .github/workflows/ci.yml and .github/workflows/deploy.yml workflows are the only paths from commit to production. ADR 0011 (commit 51bc705) makes the gate non-bypassable. Branch protection on main enforces PR + CI + sub-agent approval. The tests/seed-demo-tenants.test.ts + tests/setup.ts (added in the latest merge) prevent ad-hoc seed data from contaminating production.
The pre-commit hook (per C-001) is the last line of defence: secret scan, biometric forbidden-key scan, ADR-trail scan, Co-Authored-By: Claude scan. --no-verify is forbidden.
Evidence references
.claude/skills/dep-add/SKILL.md— every dep is an ADR.scripts/check-dep-trail.sh— dependency-ADR audit script./adr/0000-grandfather-initial-deps.mdthrough/adr/0016-zod-input-validation.md— 17-row dependency / decision trail.- Commit
f8a756c— nightly CVE monitor (scripts/cve-monitor.sh+tests/cve-monitor.test.ts). - Commit
e98d158— boot-time vkey hash check (ADR 0015 enforcement). - Commit
d18460f— pinned Android prover-asset hashes (ADR-0010 Gradle gate). - Commit
0224be4— Play Integrity server-side enforcement. - Commit
e2579df— WebView process isolation. - ADR
0010-android-webview-snarkjs-bundling.md— Android asset bundling. - ADR
0011-branching-workflow.md(commit51bc705) — non-bypassable gate. - ADR
0015-circuit-version-pinning.md(commit27ed93c) — circuit-version pin. - ADR
0016-zod-input-validation.md(commit76f8d4e) — input validation. Dockerfile(repository root) — multi-stage build separation.contracts/deployed-addresses.json— on-chain artefact pin.
Open gaps + remediation roadmap
- Software Bill of Materials (SBOM) auto-generation — CycloneDX or SPDX from
package-lock.json; target week 14 (2026-08-24) alongside the ISO Annex A.8.30 surface preparation. - Container image signing (cosign / sigstore) — target week 22 (2026-10-12); pairs with the SOC 2 Type I observation window kickoff.
- Trail of Bits smart-contract audit — D-Q2-08 + D-Q2-09, target weeks 24–26.
- Bug bounty programme — D-Q3-03, target week 27; supplements internal CVE-monitor detection with external researcher reports.
Test or audit query
bash scripts/check-dep-trail.sh returns 0 for a clean run. cat scripts/cve-monitor.sh | head -20 shows the GitHub advisory-DB query. git log --oneline -- adr/ returns a steady ADR cadence — proves new deps trace to written rationale.