Watch this video on YouTube
Your organization develops software involved in numerous open-source projects and is concerned about software supply chain threats. You need to provide provenance for the build to demonstrate that the software is untampered. What should you do?