But then don’t you need to physically have that software to forensically analyze it?
I don’t even know if that question makes sense :)
Source code is like a text document. There can be many copies of it, but when you build it it becomes an executable file.
If you want to have a secure system you must match source code to executable file. You do that by building the source code and creating a checksum.
Once you build it to be released and used, you cannot change it. If you do change it, it will not build and create the same checksum anymore.
Every machine that was used should be tested to see if the executable code checksum (fingerprint) matches. If it doesn’t then somebody put different code on that machine.