This index is the root-level entry point for reproducible security evidence that backs policy claims in SECURITY.md.
- Security claims evidence:
artifacts/ci/security-claims-evidence/ - Code analysis evidence:
artifacts/ci/code-analysis-evidence/ - Audit document index:
docs/audit/000_INDEX.MD - Claim traceability matrix:
docs/audit/003_SECURITY_ASSERTION_TRACEABILITY.MD - Certification/attestation roadmap:
docs/audit/004_CERTIFICATION_AND_ATTESTATION_ROADMAP.MD - Threat model:
docs/audit/007_THREAT_MODEL.MD - Incident response runbook:
docs/audit/008_INCIDENT_RESPONSE_RUNBOOK.MD - Supply chain baseline:
docs/audit/009_SUPPLY_CHAIN_BASELINE.MD - Execution DoD matrix:
docs/audit/012_WAVE_EXECUTION_DOD.MD
- OpenSSF Scorecard workflow:
.github/workflows/scorecard.yml - Artifact attestation in release flow:
.github/workflows/release.yml - Dependency review workflow:
.github/workflows/dependency-review.yml
All commands are intended to run from the repository root.
bash tools/audit/verify-security-claims.sh
bash tools/audit/verify-code-analysis-evidence.sh
gh api 'repos/tomtastisch/FileClassifier/code-scanning/alerts?state=open&per_page=100' --paginate
NUPKG="$(find artifacts/nuget -maxdepth 1 -type f -name '*.nupkg' | head -n 1)"
test -n "$NUPKG"
gh attestation verify "$NUPKG" --repo tomtastisch/FileClassifier- Expanded fuzzing corpus and dedicated fuzz regressions (Cluster 7)
- Formal external certification path (outside repository scope)