Software Bill of Materials (SBOM)
We publish CycloneDX SBOM for all releases, including:
- All dependencies with versions and licenses
- Build tools and compilation artifacts
- Container images and base layers
- Cryptographic hashes for verification
Download SBOM
Latest release SBOM and attestation files:
Signed Builds
All releases are signed using cosign with our private key:
- Container images signed with cosign
- Binary releases signed with GPG
- Attestation files include build provenance
- Public keys available for verification
Build Provenance
We maintain complete build provenance including:
- Source code commit hashes
- Build environment details
- Dependency resolution logs
- Security scan results
Verification Commands
Verify our signatures using these commands:
# Verify container image
cosign verify --key cosign.pub verityedge/agent:latest
# Verify SBOM
cosign verify-attestation --key cosign.pub --type cyclonedx verityedge/agent:latest
Security Scanning
All dependencies are scanned for vulnerabilities:
- Automated vulnerability scanning in CI/CD
- Dependency updates tracked and tested
- Security advisories published for critical issues
- Audit logs maintained for all security events
Questions?
For detailed security information or custom attestation requirements:
