yes, i had this situation doing sarbanes oxley in 2014 or so, to prove the code “did not change” we generated a sha256 has on the source code on every execution, that proved the code did not change and if it did have to change, it was first reviewed by them. we’ll include the hash on the log entry. thanks.
anyway, we all know how easy is to fake evidence for a “manual” audit
