This document outlines the security policies, including how to report vulnerabilities, verify artifact integrity, and understand the security measures in place.

We take security seriously. If you discover a vulnerability in ggbridge, please report it using our confidentially our Vulnerability Disclosure Portal.

Please avoid reporting security issues in public GitHub issues or discussions.

To ensure the integrity of our software, we provide a verifiable provenance for our Docker images. You can find all provenance attestations here.

Our wolfi-based container images are built using GitHub Actions and follow best practices for supply chain security with a declarative approach leveraging apko.

• Base Image: wolfi-base
• Build System: GitHub Actions (workflow: release.yml)
• Declarative Build Spec: apko.yaml defines the image composition