Security & Supply Chain

Overview

sqry takes a defense-in-depth approach to build security and supply chain integrity. Every release is signed, attested, and reproducible. Dependencies are audited continuously, and the query parser is fuzzed on every PR.

Signed Builds & Provenance

Every binary is signed with Sigstore keyless signing and ships with per-platform SLSA Level 2 provenance. No long-lived keys — attestation flows through GitHub OIDC.

# Verify binary signature
cosign verify-blob --bundle sqry-linux-x86_64.bundle sqry-linux-x86_64

# Verify SLSA provenance
slsa-verifier verify-artifact sqry-linux-x86_64 \
  --provenance-path sqry-linux-x86_64-provenance.intoto.jsonl \
  --source-uri github.com/verivus-oss/sqry

SBOMs & Vulnerability Exchange

Every release ships CycloneDX and SPDX SBOMs, Grype vulnerability scans, and OpenVEX documents. Full dependency transparency for compliance workflows.

Dependency Auditing

Every dependency is audited via cargo-vet with imports from Mozilla, Google, and Bytecode Alliance. cargo-deny enforces license policy and CVE checks on every commit.

Continuous Fuzzing & UB Detection

The query parser is fuzzed on every PR and in extended nightly runs with AddressSanitizer. Miri checks for undefined behavior weekly. Malformed input tests cover all 35 language parsers.

Mutation Testing & Coverage

Weekly mutation testing via cargo-mutants validates that tests catch real bugs, not just pass. LLVM-based code coverage with enforced thresholds. Clippy with zero-warning policy across all platforms.

Unsafe Code Tracking

Weekly cargo-geiger audits track every unsafe block across all crates. Quarterly security audits combine RustSec advisory checks, license enforcement, and supply chain verification.