add maven-lockfile (#1368)

monperrus · brandtkeller · web-flow · commit 225e7d30c30f · 2025-02-26T10:34:47.000-08:00
* add maven-lockfile

Signed-off-by: Martin Monperrus &lt;martin.monperrus@gnieh.org&gt;

* Update securing-build-pipelines.md

Signed-off-by: Martin Monperrus &lt;martin.monperrus@gnieh.org&gt;

---------

Signed-off-by: Martin Monperrus &lt;martin.monperrus@gnieh.org&gt;
Co-authored-by: Brandt Keller &lt;43887158+brandtkeller@users.noreply.github.com&gt;
diff --git a/community/publications/supply-chain-security-tools/securing-build-pipelines.md b/community/publications/supply-chain-security-tools/securing-build-pipelines.md
@@ -17,7 +17,6 @@ Here are the list of requirements for securing build pipelines. Each one has a l
 - SLSA (level 1)
 - in-toto
 
-
 ## 2. Validate environments and dependencies before usage
 
 ### Tool capability
@@ -69,6 +68,7 @@ Here are the list of requirements for securing build pipelines. Each one has a l
 ### Tools
 
 - apko
+- [maven-lockfile](https://github.com/chains-project/maven-lockfile/) for Java/Maven
 
 ## 6. Find and Eliminate Sources Of Non-Determinism
 
@@ -162,7 +162,7 @@ Here are the list of requirements for securing build pipelines. Each one has a l
 - in-toto (can be validated via runtime trace attestations)
 - Tekton (Pipelines)
 
-## 14. Ensure Software Factory has minimal network connectivity.
+## 14. Ensure Software Factory has minimal network connectivity
 
 ### Tool capability
 
