Skip to content
grantlock

SBOM

A CycloneDX SBOM is generated for every release ≥ v0.1.0 and published alongside the release artifact in the same directory. The SBOM file is named grantlock-<version>-<platform>.sbom.json.

Where to find it

Per-version SBOMs are listed on the release detail pages under /releases. Each SBOM is signed with the same cosign keyless OIDC key as the binary itself; the signature path is <sbom-url>.sig.

Verifying

cosign verify-blob \
  --certificate-identity-regexp "https://github.com/grantlock-ai/grantlock/" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --signature grantlock-0.1.0-darwin_arm64.sbom.json.sig \
  grantlock-0.1.0-darwin_arm64.sbom.json

Format & tooling

  • CycloneDX 1.5 JSON, generated by cyclonedx-py during the release workflow.
  • Verifiable against pyproject.toml + uv.lock; reproducible from source given the matching git tag.
  • Importable into Dependency-Track and other CycloneDX consumers.