Security posture
Live, machine-verifiable evidence of South Lodge's supply-chain + application security posture. Everything on this page is cross-referenced to source files in our public GitHub repo and cryptographically signed against the Sigstore transparency log.
At a glance
—
Components in SBOM (CycloneDX 1.5)
—
VEX statements (signed)
26
Supply-chain controls in force
35 / 35
NIST SSDF v1.1 tasks met
Published artefacts
All available as static files on this domain. Each is regenerated per CI run and Sigstore-signed; verification commands are below.
| Artefact | Format | Status |
|---|---|---|
| /sbom.cyclonedx.json | CycloneDX 1.5 JSON | — |
| /sbom.cyclonedx.json.sigstore.json | Sigstore bundle | signed |
| /sbom.vex.json | CycloneDX 1.5 VEX | — |
| /sbom.vex.json.sigstore.json | Sigstore bundle | signed |
| /.well-known/security.txt | RFC 9116 | active |
Verification
Anyone can cryptographically verify the SBOM + VEX were produced by our CI workflow. Install cosign and run:
cosign verify-blob \ --bundle sbom.cyclonedx.json.sigstore.json \ --certificate-identity 'https://github.com/southlodge/football-crm/.github/workflows/supply-chain-scan.yml@refs/heads/main' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ sbom.cyclonedx.json
Expected output: Verified OK. Full verification guide at
sbom-signature-verification.md
— including casual / standard / auditor trust-level variants.
External grading
Independent assessment by the OpenSSF Scorecard project. Updated weekly + on every push.
Threat-surface coverage (Unit 42 npm supply-chain attacks)
Coverage against the full threat surface documented in Unit 42's npm supply-chain article. Every threat is mapped to one or more numbered controls in our hardening runbook.
- A Preinstall hook execution (load-bearing) —
ignore-scripts=true - A 24-72h publish cooldown — CI weekly + per-PR
- A Dead-drop signature grep (working tree + remote git history)
- A Transient workflow file detection
- A Install-script content inspection
- A SLSA provenance (slsa-verifier full crypto verification)
- A OSV malicious-package cross-reference
- A Typosquat (Levenshtein detector)
- A Sigstore-signed SBOM + VEX
- A Lockfile integrity vs registry
- A Maintainer history forensics
- A GitHub-side surveillance scanner
- A Container-isolated
npm install - A SHA-pinned Docker images + third-party Actions
- A Signed commits (SSH + GPG)
- A Frontend CSP / SRI / HSTS
- A CODEOWNERS coverage ratchet
- A Host-kernel CVE cross-reference (6 CVEs in DB)
- A Reproducible builds verifier
Compliance evidence
- NIST SSDF v1.1 mapping — 35 of 35 tasks fully met (federal-grade self-attestation evidence per EO 14028 / OMB M-22-18)
- UK GDPR Article 30 ROPA — quarterly refresh, freshness ratcheted in pre-push
- Incident response playbook — 5-phase procedure + 5 tabletop scenarios + comms templates
- Responsible disclosure policy — severity-bound SLAs + safe-harbor
Contact
Security reports: security@southlodge.ai
(PGP: /.well-known/security-pubkey.asc)
This page is static HTML — no JavaScript bundles, no third-party tracking. Stats are
client-side fetch() of the same artefacts you can download. View source at
public/security/index.html
.