Please go to Security Advisories to privately report a security vulnerability, our contributors will try to respond within a week of your report with a rough plan for a fix and new tests.

Docker images published by this project are signed using Cosign keyless signing via Sigstore. Signatures are recorded in the public Rekor transparency log — no private key is stored or required.

To verify an image, install Cosign (instructions) and run:

cosign verify \
  --certificate-identity-regexp "https://github.com/com-pas/compas-open-scd/.github/workflows/release-project.yml@refs/tags/.*" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  lfenergy/compas-open-scd:<tag>

Replace <tag> with the specific release tag (e.g. v1.2.3) or latest.