Supply chain security tooling for the Faramesh governance ecosystem.
- Sigstore/cosign-compatible binary signing
- Deterministic signature generation from build artifacts
- Verification of signed binaries before deployment
- CycloneDX SBOM generation for Go binaries
- Dependency enumeration from
go.mod - Vulnerability reference linking
- Build environment normalization (trimpath, CGO_ENABLED=0, etc.)
- Build hash computation for verification
- Build attestation generation
- Verify signatures on Hub policy packs before installation
- Chain-of-trust validation from pack author to registry
- Tamper detection for installed packs
# Generate SBOM for a Go binary
go run . sbom --binary ./faramesh --output sbom.json
# Sign a binary
go run . sign --binary ./faramesh --key cosign.key
# Verify a binary
go run . verify --binary ./faramesh --signature ./faramesh.sig
# Verify a Hub pack
go run . pack-verify --pack ./packs/delete-safety-v1/Apache 2.0