Release attestations
One signed attestation per release. Each binds the exact artifact hashes, the SBOM/CBOM, the threat-model version, and an evidence bundle — so every number we publish is recomputable from evidence you can fetch, not a claim.
We report coverage, not counts: each attestation carries an
OWASP ASVS Level 2 scorecard (control → pass / not-applicable-with-reason
/ waived → how verified), not a raw "N tests run" figure. That shows what was
excluded and why.
No attestation has been published yet. The first is generated by the release pipeline once the signing-key ceremony is complete; this page will list it automatically.