Skip to content

Security

Raven's security posture is defence in depth, not a single control. The build pipeline produces signed artifacts with SLSA Level 3 provenance; every pull request and weekly cron run scan source for vulnerabilities (CodeQL

Pillars

PillarWhat it coversCanonical link
Build provenanceContainer images and release binaries carry SLSA L3 attestations, signed via Sigstore keyless OIDC./trust/slsa-level-3
Process complianceOSPS Baseline 2026-02-19, Level 2 — every control mapped to evidence (PR, workflow, file)./trust/openssf-baseline
Self-assessment / questionnaireOpenSSF Best Practices Badge (project 12590), full answer key reproduced inline./trust/openssf-best-practices
Pre-merge SASTCodeQL with security-extended + security-and-quality query suites for Go, Python, and JS/TS, plus Semgrep OSS with p/ci, p/security-audit, p/owasp-top-ten, and p/secrets rulepacks.codeql.yml · semgrep.yml
Pre-merge secretsGitleaks blocks merges that introduce credentials; runs on PR, push, and a weekly cron.gitleaks.yml
Dependency securityDependabot for gomod, pip, npm, docker, and github-actions; Trivy + govulncheck in CI; OpenSSF Scorecard publishes the Vulnerabilities check weekly.dependabot.yml · security.yml · scorecard.yml
Vulnerability disclosureCoordinated disclosure under a 72h-ack / 7d-triage / 90d-fix SLA./reference/security-policy
Machine-readable disclosure pathRFC 9116 security.txt — also served from the production deploy..well-known/security.txt

Reporting a vulnerability

If you believe you have found a security issue in Raven, please report it privately. Two channels are accepted:

You will receive an acknowledgement within 72 hours, a triage and severity assessment within 7 days, and a fix coordinated within 90 days of the initial report. Do not file a public GitHub issue, post on social media, or otherwise disclose the issue until the advisory ships.

Read the full policy →

Bug bounty

Raven does not run a paid bug-bounty programme today. The security policy's Safe Harbor clause applies: good-faith research that complies with the policy is treated as authorised, will not be pursued legally, and will be acknowledged in the resulting GitHub Security Advisory unless the reporter opts out. See the Safe Harbor section of the policy for the full terms.

Cryptographic verification

Release binaries (checksums.txt, frontend bundle), Docker images, and their attestations are signed with Sigstore Cosign using GitHub's OIDC identity — no long-lived signing keys. Step-by-step recipes for verifying provenance with gh attestation verify, cosign verify-attestation, and slsa-verifier, plus the production guidance on always pinning by digest, live at:

Audit findings and pentests

Raven has not commissioned a formal third-party security audit or penetration test to date. The project is single-maintainer open source pre-1.0 — a paid audit is on the post-1.0 milestone list rather than something we can claim retroactively. The compensating controls today are: automated SAST and dependency scanning on every change, a public OSPS-L2 self-assessment, SLSA L3 build provenance, and a working coordinated-disclosure channel. When an audit or pentest is commissioned, the findings (or a redacted summary) will be linked from this page.

Compliance

The OSS portion of the repository (everything under LICENSE; the Enterprise portion under ee-LICENSE is out of scope) targets OSPS Baseline 2026-02-19 at Level 2. The full control-by-control mapping is at /trust/openssf-baseline.

Privacy, GDPR, and India DPDP material lives under /trust/privacy/. That page is held back behind a DRAFT counsel-review banner and is scheduled for publication once counsel review completes; the supporting evidence (DPA template, sub-processor list, retention schedule) is being prepared in parallel.

See also