Please go to Security Advisories to privately report a security vulnerability, our contributors will try to respond within a week of your report with a rough plan for a fix and new tests.
Docker images published by this project are signed using Cosign keyless signing via Sigstore. Signatures are recorded in the public Rekor transparency log — no private key is stored or required.
To verify an image, install Cosign (instructions) and run:
cosign verify \
--certificate-identity-regexp "https://github.com/com-pas/compas-open-scd/.github/workflows/release-project.yml@refs/tags/.*" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
lfenergy/compas-open-scd:<tag>Replace <tag> with the specific release tag (e.g. v1.2.3) or latest.