Secure SDLC Evidence Collector — Technical documentation¶

This is the technical site for the Secure SDLC Evidence Collector. The product README at the repository root tells you what the tool does; this site tells you how to integrate it, extend it, and operate it in a real pipeline.

What you'll find here¶

Bundle schema reference — the canonical shape of bundle.json that pipelines consume and policy engines validate.
GitHub Action documentation — inputs, outputs, examples, and recipes for using the action in your release workflows.
Release readiness model — how ready / conditional / not_ready is decided, and how to wire the verdict into pipeline gates.
Limitations — what the collector explicitly does not do, so adopters do not assume coverage that is not there.
Traceability matrix — control-to-evidence mapping with NIST SSDF and OWASP SAMM coordinates.
Maturity roadmap — the public roadmap for future hardening and adoption work.
Architecture decision records — the non-obvious decisions that shape this project and the reasoning behind them.

Where the product lives¶

Surface	Location
CLI (`sdlc-evidence`)	`src/evidence_collector/cli/main.py`
GitHub Action	`action.yml`
Container image	`publish-pypi.yml` builds and signs `ghcr.io/lucashgrifoni/secure-sdlc-evidence-collector` (multi-arch, cosign keyless + SBOM attestation) on tag push. The first publicly verifiable image will be `:v1.1.0`.
Wheel + sdist	Built and signed by `publish-pypi.yml`; PyPI publishing depends on the repository's Trusted Publisher configuration in PyPI.
Bundle JSON Schema	Exported by `sdlc-evidence schema`; validated in CI on every run.

Verifying signatures¶

publish-pypi.yml is configured to sign every release artifact with cosign keyless and to record each signature on the Sigstore Rekor transparency log. Once the first signed v1.1.0 release is published, you can verify the wheel with:

cosign verify-blob \
  --certificate signatures/secure_sdlc_evidence_collector-1.1.0-py3-none-any.whl.pem \
  --signature signatures/secure_sdlc_evidence_collector-1.1.0-py3-none-any.whl.sig \
  --certificate-identity-regexp 'https://github.com/lucashgrifoni/Secure-SDLC-Evidence-Collector' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  secure_sdlc_evidence_collector-1.1.0-py3-none-any.whl

To verify the container image (after the first published v1.1.0):

cosign verify ghcr.io/lucashgrifoni/secure-sdlc-evidence-collector:v1.1.0 \
  --certificate-identity-regexp 'https://github.com/lucashgrifoni/Secure-SDLC-Evidence-Collector' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'

To inspect the SBOM attestation:

cosign download attestation \
  ghcr.io/lucashgrifoni/secure-sdlc-evidence-collector:v1.1.0

Reporting issues¶

Security: see SECURITY.md.
Bugs and feature requests: GitHub Issues.
Threat-model concerns: tracked in THREAT_MODEL.md.