+ Python, Java, Go, and PHP are on the roadmap. Contact sales@tuxcare.com for status or to request early access.
+
+
+
+
+
+
+
diff --git a/docs/.vuepress/config-client/documents.ts b/docs/.vuepress/config-client/documents.ts
index 43597e96c..80b30ccd8 100644
--- a/docs/.vuepress/config-client/documents.ts
+++ b/docs/.vuepress/config-client/documents.ts
@@ -54,6 +54,11 @@ export default [
description: "provides security fixes for open-source applications after official support ends.",
link: "/els-for-applications/",
},
+ {
+ title: "SecureChain for Open Source",
+ description: "delivers verified, signed, continuously patched open-source packages from a trusted, TuxCare-managed registry — drop-in replacements that extend protection beyond upstream end of life. Available for JavaScript at launch, with Python, Java, Go, and PHP on the roadmap.",
+ link: "/securechain/",
+ },
{
title: "Subscription Management Portal",
description: "The TuxCare subscription management portal is designed to easily manage your licenses of TuxCare products and services by means of a user-friendly interface.",
diff --git a/docs/.vuepress/config-client/sidebar.ts b/docs/.vuepress/config-client/sidebar.ts
index a7b3cf861..896db3a30 100644
--- a/docs/.vuepress/config-client/sidebar.ts
+++ b/docs/.vuepress/config-client/sidebar.ts
@@ -495,6 +495,24 @@ export default {
]
},
],
+ '/securechain/': [
+ {
+ collapsable: false,
+ children: [
+ "/securechain/",
+ {
+ path: '/securechain/javascript/',
+ icon: '/images/javascript.webp',
+ },
+ {
+ title: 'Resources',
+ type: 'section-header',
+ icon: '/images/star.webp',
+ },
+ "/securechain/managing-securechain-repository/",
+ ]
+ },
+ ],
'/els-for-applications/': [
{
collapsable: false,
diff --git a/docs/.vuepress/theme/components/Breadcrumb.vue b/docs/.vuepress/theme/components/Breadcrumb.vue
index 473cbbd9c..1b2517f7b 100644
--- a/docs/.vuepress/theme/components/Breadcrumb.vue
+++ b/docs/.vuepress/theme/components/Breadcrumb.vue
@@ -27,6 +27,7 @@ const titleMap = {
'/els-for-os/': 'ELS for OS',
'/els-for-runtimes/': 'ELS for Runtimes',
'/enterprise-support-for-almalinux/': 'Enterprise Support for AlmaLinux',
+ '/securechain/': 'SecureChain for Open Source Software',
};
const breadCrumbs = computed(() => {
diff --git a/docs/securechain/README.md b/docs/securechain/README.md
new file mode 100644
index 000000000..7fc019b64
--- /dev/null
+++ b/docs/securechain/README.md
@@ -0,0 +1,77 @@
+
+
+# SecureChain for Open Source Software
+
+
+
+## What SecureChain Covers
+
+* Verified, signed builds from trusted sources
+* Coverage that continues after upstream end of life
+* A single registry your developers and CI already know how to talk to
+
+## Vulnerability Coverage and Target Response Times
+
+TuxCare employs the Common Vulnerability Scoring System (CVSS) to assess the severity of security vulnerabilities. Our severity rating system for patching vulnerabilities integrates both NVD scoring and vendor scoring (when available). When the vendor's score is lower than the NVD score, we prioritize the NVD score.
+
+Aligning with many industry standards and regulatory requirements, TuxCare is committed to delivering timely security updates. For instance, the Payment Card Industry Data Security Standard (PCI DSS) mandates that all 'High' vulnerabilities (CVSS score of 7.0+) must be addressed within 30 days. Other regulations and standards, such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare or the Federal Information Security Management Act (FISMA) for government agencies, uphold similar requirements.
+
+* **Vulnerability coverage.** TuxCare shall provide security patches for critical- and high-risk (CVSS 7.0 and above), medium-risk (CVSS 4.0 to 6.9), and low-risk (CVSS 0.1 to 3.9) vulnerabilities. TuxCare reserves the right to offer a mitigation strategy as an alternative to a direct code fix.
+
+* **Response time.** TuxCare will make commercially reasonable efforts to adhere to the following guidelines when addressing vulnerabilities:
+ * **High- and critical-risk vulnerabilities (CVSS 7.0 and above):** Patches are provided within 14 days from the date the vulnerabilities are publicly disclosed.
+ * **Medium-risk vulnerabilities (CVSS 4.0 to 6.9):** Patches are provided within 60 days from the date the vulnerabilities are publicly disclosed.
+ * **Low-risk vulnerabilities (CVSS 0.1 to 3.9):** Patches are provided within 90 days from the date the vulnerabilities are publicly disclosed.
+
+## Incident Reporting and Response Timeframe
+
+Customers can report vulnerabilities by submitting a ticket through the [TuxCare Support Portal](https://tuxcare.com/support-portal/). TuxCare commits to providing an initial response to any reported issue within 3 days.
+
+Requests for customer-directed security patches for CVEs that are outside of the SecureChain scope will be reviewed within 3 working days. If the request is accepted, we will provide the patch within the next 60 days.
+
+Handling Multiple Vulnerabilities: In cases where several CVEs are reported simultaneously for fixing, TuxCare will discuss and agree upon resolution timelines separately with the customer.
+
+## Enhanced Transparency & Visibility
+
+TuxCare's commitment to transparency and visibility is foundational to our SecureChain offering. We aim to provide comprehensive details about how each package is built, verified, and distributed, ensuring complete trust in the software supply chain.
+
+* **SLSA Compliance**: All packages are built and signed to ensure verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance at Level 2 at launch, with Level 3 on the roadmap. They are securely constructed from vetted sources, include attestations for all dependencies, and undergo continuous testing to maintain integrity and security.
+* **Software Bill of Materials (SBOM)**: We provide complete visibility into the software supply chain with a comprehensive inventory of every package in the codebase, ensuring transparency and accountability in your software ecosystem.
+
+:::warning
+Note: SBOM support for certain components is in progress and will be available soon. To confirm current availability or expected timeframes, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com).
+:::
+
+* **Enhanced metadata in standard formats.** SBOMs are provided in SPDX and CycloneDX. CycloneDX VEX documents accompany them with exploitability status (affected, not_affected, fixed, under_investigation) so scanners can suppress non-applicable findings.
+* **Verifiable Integrity and Provenance**: Our packages and metadata provide comprehensive end-to-end provenance, detailing how each package was constructed and tested, ensuring that all components in your software stack are trustworthy.
+* **Secure Distribution**: Signed versions of the packages and their metadata are distributed from a registry managed, secured, and protected by TuxCare, guaranteeing that your software updates are authentic and untampered.
+
+## Support Duration
+
+TuxCare provides continuous security patching for all SecureChain-supported open-source packages for as long as your organization requires them, eliminating the need for rushed or disruptive upgrades.
+
+All updates are delivered at a fixed price for the full term of your contract, ensuring predictable costs and uninterrupted protection.
+
+## Technical Support
+
+TuxCare provides technical support according to the standard [support policy](https://tuxcare.com/TuxCare-support-policy.pdf).
+
+It delivers 24/7/365 access to TuxCare's support team through the [TuxCare Support Portal](https://tuxcare.com/support-portal/) and to TuxCare's online knowledge base.
+
+## Vulnerability Exploitability eXchange (VEX)
+
+VEX is a machine-readable format that tells you if a known vulnerability is actually exploitable in your product. It reduces false positives, helps prioritize real risks.
+
+Why it matters:
+
+* Context-aware vulnerability status ("affected", "not affected", "fixed")
+* Cuts scanner noise to what truly matters
+* Automation-friendly for tooling and CI/CD
+
+
+
+*  [VEX feed](https://security.tuxcare.com/vex/cyclonedx/) — Vulnerability Exploitability eXchange feed
+*  [CVE Tracker](https://tuxcare.com/cve-tracker/) — Track vulnerability fixes and updates
+
+
+
diff --git a/docs/securechain/javascript/README.md b/docs/securechain/javascript/README.md
new file mode 100644
index 000000000..4736f528f
--- /dev/null
+++ b/docs/securechain/javascript/README.md
@@ -0,0 +1,72 @@
+# JavaScript
+
+SecureChain delivers verified, signed, continuously patched JavaScript packages from a TuxCare-managed npm registry. Packages install with standard `npm` tooling and continue to receive CVE patches after upstream end of life.
+
+## Installation
+
+
+
+* TuxCare SecureChain registry token — contact [sales@tuxcare.com](mailto:sales@tuxcare.com)
+* An npm project with `package.json`. If you're starting from scratch, run `npm init -y` in your project directory to create one.
+* To browse available packages, visit TuxCare [Nexus](https://nexus.repo.tuxcare.com/#browse/browse:securechain-js) and sign in. You may need to refresh the page after logging in.
+
+
+
+
+
+1. Connect to the SecureChain registry
+
+ In the root directory of your project, create or edit `.npmrc` to point npm at the SecureChain registry and provide your token:
+
+ ```text
+ registry=https://nexus.repo.tuxcare.com/repository/securechain-js/
+ //nexus.repo.tuxcare.com/repository/securechain-js/:_auth=
+ always-auth=true
+ ```
+
+ :::warning
+ Replace `` with the token you received from [sales@tuxcare.com](mailto:sales@tuxcare.com).
+ :::
+
+2. Install a SecureChain package
+
+ SecureChain packages are published under the `@securechain-js` scope. Install them with their fully qualified name and version:
+
+ ```text
+ npm install @securechain-js/@
+ ```
+
+ For the list of available packages and versions, visit TuxCare [Nexus](https://nexus.repo.tuxcare.com/#browse/browse:securechain-js).
+
+
+
+## Troubleshooting
+
+If `npm install` resolves to the public registry instead of SecureChain, use the commands below to verify that npm is reading your `.npmrc` and that the token is accepted.
+
+* **Confirm the active registry**
+
+ ```text
+ npm config get registry
+ ```
+
+ The output must be `https://nexus.repo.tuxcare.com/repository/securechain-js/`. If it returns `https://registry.npmjs.org/`, npm is not reading your project `.npmrc` - check that you are running npm from the project root and that no user-level `~/.npmrc` is overriding it.
+
+* **Confirm authentication and connectivity**
+
+ ```text
+ npm whoami
+ npm ping
+ ```
+
+ `npm whoami` confirms the token resolves to a Nexus user. `npm ping` confirms the registry is reachable with that token. Failures here usually mean a missing, malformed, or revoked `_auth` value in `.npmrc`.
+
+## What's Next?
+
+
+
+*  [VEX feed](https://security.tuxcare.com/vex/cyclonedx/) — Vulnerability Exploitability eXchange feed
+*  [CVE Tracker](https://tuxcare.com/cve-tracker/) — Track vulnerability fixes and updates
+*  [Managing the SecureChain repository](/securechain/managing-securechain-repository/) — Upgrade to a newer version
+
+
diff --git a/docs/securechain/managing-securechain-repository/README.md b/docs/securechain/managing-securechain-repository/README.md
new file mode 100644
index 000000000..b550d0f31
--- /dev/null
+++ b/docs/securechain/managing-securechain-repository/README.md
@@ -0,0 +1,34 @@
+# Managing the SecureChain repository
+
+This page describes how to upgrade an already-installed SecureChain package to a newer release.
+
+## How to Upgrade to a Newer Version
+
+
+
+
+
+
+
+1. Check your TuxCare [Nexus](https://nexus.repo.tuxcare.com/#browse/browse:securechain-js) account for the latest version available for each SecureChain package.
+
+2. To upgrade, install the new version of the package — `npm install` will replace the previously installed release:
+
+ ```text
+ npm install @securechain-js/@
+ ```
+
+ :::tip
+ If `npm install` does not pick up the new version, clear the npm cache and reinstall:
+
+ ```text
+ rm -rf node_modules package-lock.json && npm cache clean --force
+ npm install
+ ```
+ :::
+
+
+
+
+
+