Docker images published by this project are signed using Cosign keyless signing via Sigstore. Signatures are recorded in the public Rekor transparency log — no private key is stored or required.

To verify an image, install Cosign (instructions) and run:

cosign verify \
  --certificate-identity "https://github.com/com-pas/compas-scl-data-service/.github/workflows/release-please.yml@refs/heads/main" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  lfenergy/compas-scl-data-service:<tag>

Replace <tag> with the specific release tag (e.g. 0.18.0) or latest.

Please go to Security Advisories to privately report a security vulnerability, our contributors will try to respond within a week of your report with a rough plan for a fix and new tests.