Skip to content

Security: devpunks/snuggsi

SECURITY.md

Security Policy

This sofware is guided by SSDF (Secure Software Development Framework) to the best of it's abilities

Proving the integrity of your software artifacts is essential, but it is not enough: although it enables users to trust the artifacts that they consume, it does not provide any trusted context to that artifact.

Please be advised that these strategies SHOULD NOT be an end-all-solution. Be sure to take further precautions to ensure a level of security that satisfies your needs.

Supported Versions

Version Supported
2025.0.0
2025.1.0
2024.0.0
2024.1.0

A chronological CalVer nightly Continuous Delivery strategy is used for versioning instead of Semver

Read More...

Version generation and Publishing routine can be found here.

Artifact Integrity

Artifacts Integrity is about the ability to trust the authenticity of artifacts, meaning verifying that the artifact you get is really the original artifact uploaded by its author.

Read More...

basic cosign artifact signing flow diagram v2

Software Attestation

This software uses the "In-Toto" 3-step methodology for cryptographically signing artifacts & metadata:

  1. The DSSE Envelope (“Dead Simple Signing Envelope”): the transport layer.
  2. The in-toto Statement: the attestation header.
  3. The predicate: the attestation payload.

Read More...

Screen Shot 2025-01-09 at 7 22 03 AM

SBOM (Software Bill of Materials)

This software utilizes the SLSA (Supply-chain Levels for Sofware Artifacts)](https://slsa.dev/spec/v1.0/about) to ensure Provenance for Proof-Of-Origin verification prior to usage within sensitive supply-chains.

The nightly build process provides an automated artifact generation. Thus allowing verification of a software application's authenticity and integrity (i.e., that the developers are who they claim to be and that the software has not been tampered with after release).

Reporting a Vulnerability

Contanct us if anything seems janky in regards to security vulnerabilities.

You can also check the Dependabot updates section for existing vulnerability corrections.

Attack Vectors

Screen Shot 2023-05-03 at 3 38 49 PM

There aren’t any published security advisories