Please go to Security Advisories to privately report a security vulnerability, our contributors will try to respond within a week of your report with a rough plan for a fix and new tests.

Docker images published by this project are signed using Cosign keyless signing via Sigstore. Signatures are recorded in the public Rekor transparency log — no private key is stored or required.

To verify an image, install Cosign (instructions) and run:

cosign verify \
  --certificate-identity "https://github.com/com-pas/compas-scl-auto-alignment/.github/workflows/release-please.yml@refs/heads/main" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  lfenergy/compas-scl-auto-alignment:<tag>

Replace <tag> with the specific release tag (e.g. 0.6.1) or latest.