Skip to content

Supply Chain Verification

TerraTidy releases include cryptographic signatures, SBOMs, and build provenance so you can verify the integrity and origin of every artifact.

Verify Checksums

Every release includes a checksums.txt file with SHA-256 hashes for all artifacts.

# Download the release and checksums
gh release download v0.2.0-alpha.4 --repo santosr2/terratidy

# Verify checksum
sha256sum -c checksums.txt --ignore-missing

Verify Cosign Signature

Checksums are signed with Sigstore cosign using keyless signing (tied to the GitHub Actions OIDC identity).

# Install cosign
go install github.com/sigstore/cosign/v2/cmd/cosign@latest

# Download checksums and signature bundle
gh release download v0.2.0-alpha.4 --repo santosr2/terratidy -p 'checksums.txt*'

# Verify the signature
cosign verify-blob checksums.txt \
  --bundle checksums.txt.bundle \
  --certificate-identity-regexp 'https://github.com/santosr2/TerraTidy' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'

Verify Build Provenance

GitHub native build attestations are attached to each release. You can verify them with the GitHub CLI:

gh attestation verify checksums.txt --repo santosr2/terratidy

SBOM (Software Bill of Materials)

Each release archive includes an SBOM in SPDX format, generated by syft. SBOM files are named <archive>.sbom.json and are attached to the GitHub release.

# Download and inspect an SBOM
gh release download v0.2.0-alpha.4 --repo santosr2/terratidy -p '*.sbom.json'

OpenSSF Scorecard

TerraTidy is monitored by OpenSSF Scorecard, which evaluates the project's security practices weekly. View the latest score:

OpenSSF Scorecard