docs(security): create docs/security/ consumer verification documentation #262
Description
OSSF Silver Criterion
documentation_security (SHOULD) — The project SHOULD document how consumers can verify the integrity and provenance of released artifacts.
Description
Create a docs/security/ directory with consumer-facing documentation covering attestation verification, SBOM inspection, tag signature verification, and a security overview index. This is the capstone documentation deliverable for the v2.8.0 supply chain security milestone — it makes attestation and signing capabilities discoverable and usable by downstream consumers.
Acceptance Criteria
-
docs/security/README.mdcreated with security overview and verification index -
docs/security/attestation-verification.md— how to verify build provenance withgh attestation verify -
docs/security/sbom-verification.md— how to inspect SPDX-JSON SBOMs generated byanchore/sbom-action -
docs/security/tag-signature-verification.md— how to verify gitsign-signed release tags -
docs/security/container-verification.md— how to verify container image attestations -
SECURITY.mdenhanced with "What Gets Signed" attestation summary (reference: hve-core pattern) - All verification commands use concrete examples from edge-ai artifacts
Cross-Repo Alignment
- hve-core: Has
docs/security/with attestation verification guide — use as reference template - physical-ai-toolchain: Consumer verification documented inline in release notes — this issue formalizes that pattern
Dependencies
- Depends on: ci(security): establish security review gate with CODEOWNERS #171 (security review gate establishes docs/security/ scope)
- Depends on: [FEATURE] Replace SLSA attestation with enterprise-compliant actions/attest #100 (attestation patterns must be implemented before documenting verification)
- Depends on: ci(release): implement Sigstore keyless signing for release tags #172 (tag signing must be implemented before documenting tag verification)
- Depends on: ci(containers): add GitHub-native attestation for container images #173 (container attestation must be implemented before documenting container verification)