This sofware is guided by SSDF (Secure Software Development Framework) to the best of it's abilities
Proving the integrity of your software artifacts is essential, but it is not enough: although it enables users to trust the artifacts that they consume, it does not provide any trusted context to that artifact.
Please be advised that these strategies SHOULD NOT be an end-all-solution. Be sure to take further precautions to ensure a level of security that satisfies your needs.
| Version | Supported |
|---|---|
| 2025.0.0 | ✅ |
| 2025.1.0 | ✅ |
| 2024.0.0 | ❌ |
| 2024.1.0 | ❌ |
A chronological CalVer nightly Continuous Delivery strategy is used for versioning instead of Semver
Version generation and Publishing routine can be found here.
Artifacts Integrity is about the ability to trust the authenticity of artifacts, meaning verifying that the artifact you get is really the original artifact uploaded by its author.
This software uses the "In-Toto" 3-step methodology for cryptographically signing artifacts & metadata:
- The DSSE Envelope (“Dead Simple Signing Envelope”): the transport layer.
- The in-toto Statement: the attestation header.
- The predicate: the attestation payload.
This software utilizes the SLSA (Supply-chain Levels for Sofware Artifacts)](https://slsa.dev/spec/v1.0/about) to ensure Provenance for Proof-Of-Origin verification prior to usage within sensitive supply-chains.
The nightly build process provides an automated artifact generation. Thus allowing verification of a software application's authenticity and integrity (i.e., that the developers are who they claim to be and that the software has not been tampered with after release).
Contanct us if anything seems janky in regards to security vulnerabilities.
You can also check the Dependabot updates section for existing vulnerability corrections.
