Skip to content

Latest commit

 

History

History
46 lines (32 loc) · 2.57 KB

File metadata and controls

46 lines (32 loc) · 2.57 KB

Verification guide

Use this page when you are trying to figure out which provenance or verification instructions apply to sbom-diff-and-risk.

Choose the question you are trying to answer

1. "How do I verify sbom-diff-and-risk itself?"

Use the tool provenance docs:

Current boundaries:

  • the workflow name is sbom-diff-and-risk-ci
  • the workflow artifact name is sbom-diff-and-risk-dist
  • version-tag runs matching v* can publish the same built files as GitHub Release assets
  • release assets produced by the updated workflow include sbom-diff-and-risk-SHA256SUMS.txt for local SHA256 verification of the wheel and source distribution
  • release verification depends on immutable releases being enabled for the repository
  • the TestPyPI readiness workflow is sbom-diff-and-risk-testpypi
  • the TestPyPI Trusted Publishing dry-run has completed for version 0.4.1
  • production PyPI publishing remains deferred behind the gate in pypi-production-publishing-decision.md

2. "How do I use sbom-diff-and-risk to analyze third-party dependency provenance?"

Use the dependency-analysis docs in the README:

Current boundaries:

  • default CLI behavior remains local and deterministic
  • no hidden network access occurs unless enrichment flags are set explicitly
  • dependency provenance analysis is about third-party packages, not about verifying the sbom-diff-and-risk tool's own artifacts
  • release verification and workflow artifact attestation do not change CLI analysis behavior

One-line summary

  • Verify the tool itself: use self-provenance.md or release-provenance.md
  • Check downloaded release bytes: use the checksum manifest instructions in release-provenance.md
  • Decide whether production PyPI publishing is ready: use pypi-production-publishing-decision.md
  • Analyze dependencies with the tool: use the README's dependency provenance sections