CMake executes build scripts and toolchains; untrusted source trees can execute arbitrary commands.
- Treat
CMakeLists.txt and modules as executable code.
- Build untrusted projects in isolated containers/VMs.
- Pin toolchain and dependency versions for reproducibility.
- Restrict build runner privileges and filesystem mounts.
- Disable unnecessary network egress during builds.
- Sign release artifacts and verify checksums.