SBOM
A CycloneDX SBOM is generated for every release ≥ v0.1.0 and published alongside the release artifact in the same directory. The SBOM file is named grantlock-<version>-<platform>.sbom.json.
Where to find it
Per-version SBOMs are listed on the release detail pages under /releases. Each SBOM is signed with the same cosign keyless OIDC key as the binary itself; the signature path is <sbom-url>.sig.
Verifying
cosign verify-blob \
--certificate-identity-regexp "https://github.com/grantlock-ai/grantlock/" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
--signature grantlock-0.1.0-darwin_arm64.sbom.json.sig \
grantlock-0.1.0-darwin_arm64.sbom.jsonFormat & tooling
- CycloneDX 1.5 JSON, generated by cyclonedx-py during the release workflow.
- Verifiable against pyproject.toml + uv.lock; reproducible from source given the matching git tag.
- Importable into Dependency-Track and other CycloneDX consumers.