Omitly · Security

Release attestations

One signed attestation per release. Each binds the exact artifact hashes, the SBOM/CBOM, the threat-model version, and an evidence bundle — so every number we publish is recomputable from evidence you can fetch, not a claim.

We report coverage, not counts: each attestation carries an OWASP ASVS Level 2 scorecard (control → pass / not-applicable-with-reason / waived → how verified), not a raw "N tests run" figure. That shows what was excluded and why.

No attestation has been published yet. The first is generated by the release pipeline once the signing-key ceremony is complete; this page will list it automatically.