a11oyBrand Orchestration Layer · the one place to see everything

Security — posture, signing, SBOM

Honest one-line: a strong governance/provenance substrate sitting on a weak web-edge posture and an incomplete signing/SBOM story. Where we are weak, we say so.

DomainGradeNote

Signing chain

Syft/Grype (Anchore) → SBOM → in-toto attestation (NYU/Purdue) → SLSA level (OpenSSF) → Cosign signature (Sigstore) → Zarf package (Defense Unicorns) → UDS Core admission (Pepr). Every link is US-led or US-academic.

SLSA = L1 (honest) — previously mis-labeled L3, corrected. 1 of 6 UDS bundles is keyless-signed (vessels, Rekor index 1675423172). cosign.pub fingerprint: 1f00187d861dc4fb01c9733a32e26fcb4126709f8614e201d04a099c70e3dbc7. VDP: security.txt (RFC 9116).
Strict security headers + non-wildcard CORS (szl_security_headers.py) are authored and staged per-Space, but not wired into a11oy this pass to avoid regressing the existing SPA — see Gap Check.

Source: security_compliance/CURRENT_SECURITY_POSTURE.md