Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Supply Chain

Launch releases should be reproducible enough for operators to verify what they install:

  • Release archives carry licenses, notice text, and the README.
  • SHA256SUMS is generated for every release asset.
  • CycloneDX SBOM output is produced during preflight and release workflows.
  • cargo deny check enforces license, source, and advisory policy.
  • cargo audit --deny warnings provides an independent RustSec pass using .cargo/audit.toml.
  • scripts/security/check_advisory_waivers.py keeps RustSec exceptions synchronized between cargo-deny, cargo-audit, and the security policy.
  • scripts/ci/check_supply_chain_contract.sh keeps security policy, advisory workflows, SBOM generation, release/container attestations, and verification docs aligned.
  • GitHub release artifacts and GHCR images are attested by workflow.

Known upstream advisory exceptions are documented in deny.toml and the security policy. See docs/supply-chain.md for verification commands and operator notes.