OASB
v1.0
Controls/Supply Chain Integrity/6.3
L1 EssentialAutomated verification

6.3 Rug Pull Protection

6. Supply Chain IntegrityHow do we trust components?

Description

Remote components MUST be pinned to specific versions or hashes.

Rationale

A 'rug pull' occurs when a trusted component is suddenly replaced with malicious code.

Audit Procedure

1. Check if all dependencies are pinned
2. Verify MCP servers reference specific versions
3. Check for auto-update settings

Remediation

1. Pin all dependencies to exact versions
2. Use lockfiles and commit them
3. Monitor for component changes

Framework Mappings

CIS Control 2.5NIST PR.DS-6
Previous6.2 Cryptographic Integrity VerificationNext6.4 Dependency Vulnerability Scanning