You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/SECURITY_CONTROLS.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,7 +21,7 @@ local test and release gates.
21
21
| PII in infrastructure logs | Email-shaped identities are accepted for compatibility; callers who want less personal data in URL logs should send opaque stable ids or one-way hashes. |
22
22
| Vulnerable or incompatible dependencies |`cargo audit` and `cargo deny check` run in the standard check script and CI. |
23
23
| Plaintext backend transport | Remote OTLP and custom S3 endpoints require HTTPS. HTTP is accepted only for loopback-local development endpoints, and the application enables explicit Rustls-backed clients for both integrations. |
24
-
| Mutable release inputs | GitHub actions and Docker base imagesare pinned to reviewed commit SHAs and image digests. Dependabot tracks Cargo, action, and Docker updates; image publishing emits SBOM and maximum provenance attestations. |
24
+
| Mutable release inputs | GitHub actions, Docker base images, and the Fluxheim deployment image are pinned to reviewed commit SHAs and image digests. The runtime image does not install from a live package repository; its CA bundle comes from the pinned builder. Dependabot tracks Cargo, action, and Docker updates; image publishing emits SBOM and maximum provenance attestations. |
0 commit comments