chain-of-trust

Chain of Trust

This file is automatically generated by vet. Do not edit it manually.

Audit file (audits.toml)

Holds the audit records for packages in this project. Each record contains:

• who performed the audit,
• status of the audit (unsafe, safe to run, safe to deploy),
• version of the package that was audited.
• notes (optionally) about the audit.

Example:

[audits.example_package]
who = "Example Person <person@example.com>"
status = "safe to deploy"  # or "safe to run" or "unsafe"
version = "1.7.2"
notes = "Some notes about the audit"

Config file (config.toml)

Exemptions

A list of packages that are exempt from audits. For sake of ease of getting started, all packages in the poetry.lock file are exempt by default. These packages should be audited either manually or via import of an audit from a trusted source.

Example:

[exemptions.example_package]
version = "1.7.2"
status = "safe to deploy"

Imports

A list of URLs to audit sources. Each source must provide a TOML file with audits (same as audits.toml).

Example:

[imports.example_org]
url = "https://raw.githubusercontent.com/example_org/example_project/main/chain-of-trust/audits.toml"

Import lock (import.lock)

This file is automatically generated by vet. Do not edit it manually.

It holds a local copy of audits from trusted sources specified in the config file.