{"id":32930023,"url":"https://github.com/redoubt-cysec/provenance-template","last_synced_at":"2026-04-28T16:02:36.126Z","repository":{"id":321200734,"uuid":"1084295666","full_name":"redoubt-cysec/provenance-template","owner":"redoubt-cysec","description":"Production-ready template demonstrating supply chain security, SLSA provenance, and multi-platform distribution for Python CLIs","archived":false,"fork":false,"pushed_at":"2025-11-01T22:27:02.000Z","size":2359,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-11-11T13:03:03.842Z","etag":null,"topics":["attestation","cli","devsecops","github-actions","homebrew","provenance","pypi","python","reproducible-builds","sbom","security","sigstore","slsa","supply-chain-security","template","verification"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/redoubt-cysec.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"docs/contributing/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/security/COMPLETE-SECURITY-CHECKLIST.md","support":null,"governance":"GOVERNANCE.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-27T13:46:50.000Z","updated_at":"2025-11-01T22:20:00.000Z","dependencies_parsed_at":"2025-10-28T12:14:27.610Z","dependency_job_id":"cbd42193-a105-4ab2-9217-2b52a1b0b49c","html_url":"https://github.com/redoubt-cysec/provenance-template","commit_stats":null,"previous_names":["redoubt-cysec/provenance-template"],"tags_count":32,"template":true,"template_full_name":null,"purl":"pkg:github/redoubt-cysec/provenance-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redoubt-cysec%2Fprovenance-template","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redoubt-cysec%2Fprovenance-template/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redoubt-cysec%2Fprovenance-template/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redoubt-cysec%2Fprovenance-template/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/redoubt-cysec","download_url":"https://codeload.github.com/redoubt-cysec/provenance-template/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redoubt-cysec%2Fprovenance-template/sbom","scorecard":{"id":1239290,"data":{"date":"2025-10-28T11:50:05Z","repo":{"name":"github.com/redoubt-cysec/provenance-template","commit":"3251624b5c78fbc450d5e4bd00d2b83dc98d4b94"},"scorecard":{"version":"v5.0.0","commit":"ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"},"score":4.7,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":-1,"reason":"no pull request found","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":0,"reason":"Found 0/20 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review"}},{"name":"Contributors","score":0,"reason":"project has 0 contributing companies or organizations -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license"}},{"name":"Maintained","score":0,"reason":"project was created in last 90 days. please review its contents carefully","details":["Warn: Repository was created in last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":5,"reason":"dependency not pinned by hash detected -- score normalized to 5","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cachix-nix.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/redoubt-cysec/provenance-template/cachix-nix.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/cachix-nix.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/redoubt-cysec/provenance-template/cachix-nix.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/cachix-nix.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/redoubt-cysec/provenance-template/cachix-nix.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/distribution-testing.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/redoubt-cysec/provenance-template/distribution-testing.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/distribution-testing.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/redoubt-cysec/provenance-template/distribution-testing.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/distribution-testing.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/redoubt-cysec/provenance-template/distribution-testing.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/flatpak-beta-publish.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/redoubt-cysec/provenance-template/flatpak-beta-publish.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/flatpak-beta-selfhost.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/redoubt-cysec/provenance-template/flatpak-beta-selfhost.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/flatpak-beta-selfhost.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/redoubt-cysec/provenance-template/flatpak-beta-selfhost.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/homebrew-macos.yml:8: update your workflow using https://app.stepsecurity.io/secureworkflow/redoubt-cysec/provenance-template/homebrew-macos.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/homebrew-upgrade.yml:8: update your workflow using https://app.stepsecurity.io/secureworkflow/redoubt-cysec/provenance-template/homebrew-upgrade.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/linux-multidistro-matrix.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/redoubt-cysec/provenance-template/linux-multidistro-matrix.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/linux-multidistro-matrix.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/redoubt-cysec/provenance-template/linux-multidistro-matrix.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi-multiversion.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/redoubt-cysec/provenance-template/pypi-multiversion.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/upgrade-suite.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/redoubt-cysec/provenance-template/upgrade-suite.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/windows-testing.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/redoubt-cysec/provenance-template/windows-testing.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:4","Warn: containerImage not pinned by hash: Dockerfile:27: pin your Docker image by updating python:3.10-slim to python:3.10-slim@sha256:e0c4fae70d550834a40f6c3e0326e02cfe239c2351d922e1fb1577a3c6ebde02","Warn: pipCommand not pinned by hash: scripts/build_all_artifacts.sh:17","Warn: pipCommand not pinned by hash: scripts/build_all_artifacts.sh:18","Warn: pipCommand not pinned by hash: scripts/check_licenses.sh:12","Warn: pipCommand not pinned by hash: scripts/dev-setup.sh:50","Warn: downloadThenRun not pinned by hash: scripts/install-all-distribution-tools.sh:97","Warn: downloadThenRun not pinned by hash: scripts/install-all-distribution-tools.sh:196","Warn: downloadThenRun not pinned by hash: scripts/phase1-testing/appimage-local-build.sh:16","Warn: npmCommand not pinned by hash: scripts/phase1-testing/npm-local-registry.sh:78","Warn: pipCommand not pinned by hash: scripts/phase2-testing/setup-test-pypi.sh:22","Warn: pipCommand not pinned by hash: scripts/phase2-testing/setup-test-pypi.sh:88","Warn: downloadThenRun not pinned by hash: scripts/phase2-testing/test-nix-cachix-vm.sh:38","Warn: pipCommand not pinned by hash: scripts/phase2-testing/upgrade/test-upgrade-pypi.sh:13","Warn: pipCommand not pinned by hash: scripts/phase2-testing/upgrade/test-upgrade-pypi.sh:16","Warn: pipCommand not pinned by hash: scripts/phase2-testing/upgrade/test-upgrade-pypi.sh:29","Warn: pipCommand not pinned by hash: scripts/phase2-testing/upgrade/test-upgrade-pypi.sh:34","Warn: pipCommand not pinned by hash: scripts/quick_setup.sh:89","Warn: downloadThenRun not pinned by hash: scripts/setup/install-nix.sh:29","Warn: pipCommand not pinned by hash: scripts/setup_local_config.sh:160","Warn: pipCommand not pinned by hash: scripts/setup_local_config.sh:197","Warn: downloadThenRun not pinned by hash: .github/workflows/build-all-platforms.yml:40","Warn: downloadThenRun not pinned by hash: .github/workflows/build-all-platforms.yml:43","Warn: downloadThenRun not pinned by hash: .github/workflows/build-all-platforms.yml:85","Warn: downloadThenRun not pinned by hash: .github/workflows/coverage.yml:31","Warn: downloadThenRun not pinned by hash: .github/workflows/distribution-testing.yml:23","Warn: downloadThenRun not pinned by hash: .github/workflows/github-pages.yml:53","Warn: downloadThenRun not pinned by hash: .github/workflows/integration-tests.yml:38","Warn: downloadThenRun not pinned by hash: .github/workflows/integration-tests.yml:81","Warn: downloadThenRun not pinned by hash: .github/workflows/main-verify.yml:29","Warn: downloadThenRun not pinned by hash: .github/workflows/pypi-publish.yml:40","Warn: pipCommand not pinned by hash: .github/workflows/pypi-publish.yml:198","Warn: pipCommand not pinned by hash: .github/workflows/python-compatibility.yml:51","Warn: pipCommand not pinned by hash: .github/workflows/python-compatibility.yml:52","Warn: pipCommand not pinned by hash: .github/workflows/python-compatibility.yml:87","Warn: pipCommand not pinned by hash: .github/workflows/python-compatibility.yml:88","Warn: downloadThenRun not pinned by hash: .github/workflows/quick-pr-checks.yml:47","Warn: downloadThenRun not pinned by hash: .github/workflows/rebuilder.yml:41","Warn: pipCommand not pinned by hash: .github/workflows/release.yml:47","Warn: pipCommand not pinned by hash: .github/workflows/release.yml:48","Warn: downloadThenRun not pinned by hash: .github/workflows/release.yml:67","Warn: downloadThenRun not pinned by hash: .github/workflows/snap-publish.yml:45","Info:  72 out of  86 GitHub-owned GitHubAction dependencies pinned","Info:  40 out of  42 third-party GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned","Info:   5 out of  25 pipCommand dependencies pinned","Info:   0 out of  19 downloadThenRun dependencies pinned","Info:   0 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":10,"reason":"SAST tool detected: CodeQL","details":["Info: SAST configuration detected: CodeQL","Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecards.yml:18","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecards.yml:19","Info: topLevel 'contents' permission set to 'read': .github/workflows/build-all-platforms.yml:11","Warn: no topLevel permission defined: .github/workflows/cachix-nix.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/coverage.yml:13","Warn: no topLevel permission defined: .github/workflows/distribution-testing.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/docker-multiarch.yml:17","Warn: topLevel 'packages' permission set to 'write': .github/workflows/docker-multiarch.yml:18","Warn: no topLevel permission defined: .github/workflows/flatpak-beta-publish.yml:1","Warn: no topLevel permission defined: .github/workflows/flatpak-beta-selfhost.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/flatpak-beta.yml:16","Info: topLevel 'contents' permission set to 'read': .github/workflows/github-pages.yml:13","Warn: no topLevel permission defined: .github/workflows/homebrew-macos.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/homebrew-tap.yml:17","Warn: no topLevel permission defined: .github/workflows/homebrew-upgrade.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/integration-tests.yml:20","Warn: no topLevel permission defined: .github/workflows/linux-multidistro-matrix.yml:1","Warn: topLevel 'security-events' permission set to 'write': .github/workflows/main-verify.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/main-verify.yml:7","Info: topLevel 'contents' permission set to 'read': .github/workflows/nix-cachix.yml:13","Warn: no topLevel permission defined: .github/workflows/pypi-multiversion.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/pypi-publish.yml:17","Info: topLevel 'contents' permission set to 'read': .github/workflows/python-compatibility.yml:23","Info: topLevel 'contents' permission set to 'read': .github/workflows/quick-pr-checks.yml:7","Warn: topLevel 'security-events' permission set to 'write': .github/workflows/quick-pr-checks.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/rebuilder.yml:8","Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:7","Info: topLevel 'contents' permission set to 'read': .github/workflows/scan-latest-release.yml:8","Warn: topLevel 'security-events' permission set to 'write': .github/workflows/scan-latest-release.yml:9","Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:9","Info: topLevel 'contents' permission set to 'read': .github/workflows/snap-publish.yml:23","Warn: no topLevel permission defined: .github/workflows/upgrade-suite.yml:1","Warn: no topLevel permission defined: .github/workflows/windows-testing.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-10-28T12:24:53.972Z","repository_id":321200734,"created_at":"2025-10-28T12:24:53.973Z","updated_at":"2025-10-28T12:24:53.973Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32387923,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-28T14:34:11.604Z","status":"ssl_error","status_checked_at":"2026-04-28T14:32:37.009Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attestation","cli","devsecops","github-actions","homebrew","provenance","pypi","python","reproducible-builds","sbom","security","sigstore","slsa","supply-chain-security","template","verification"],"created_at":"2025-11-11T13:01:00.519Z","updated_at":"2026-04-28T16:02:36.120Z","avatar_url":"https://github.com/redoubt-cysec.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Provenance Demo\n\n[![Main Verify](https://github.com/redoubt-cysec/provenance-template/actions/workflows/main-verify.yml/badge.svg?branch=main)](https://github.com/redoubt-cysec/provenance-template/actions/workflows/main-verify.yml)\n[![Secure Release](https://github.com/redoubt-cysec/provenance-template/actions/workflows/secure-release.yml/badge.svg?branch=main)](https://github.com/redoubt-cysec/provenance-template/actions/workflows/secure-release.yml)\n[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/redoubt-cysec/provenance-template/badge)](https://scorecard.dev/viewer/?uri=github.com/redoubt-cysec/provenance-template)\n[![Security Tests](https://github.com/redoubt-cysec/provenance-template/actions/workflows/security-tests.yml/badge.svg?branch=main)](https://github.com/redoubt-cysec/provenance-template/actions/workflows/security-tests.yml)\n[![Integration Tests](https://github.com/redoubt-cysec/provenance-template/actions/workflows/integration-tests.yml/badge.svg?branch=main)](https://github.com/redoubt-cysec/provenance-template/actions/workflows/integration-tests.yml)\n[![codecov](https://codecov.io/gh/redoubt-cysec/provenance-template/branch/main/graph/badge.svg)](https://codecov.io/gh/redoubt-cysec/provenance-template)\n[![Python 3.10+](https://img.shields.io/badge/python-3.10+-blue.svg)](https://www.python.org/downloads/)\n[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)\n\n**Production-ready Python CLI template with enterprise-grade supply chain security.**\n\nBootstrap your Python CLI project with battle-tested security features, 10 production-ready distribution platforms (plus configuration templates for 6 more), and a fully automated secure release pipeline. Built for developers who take supply chain security seriously.\n\n## What You Get\n\n### Security Features\n\n- **Cryptographic Signing:** Sigstore/cosign keyless signing with Rekor transparency log\n- **Attestations:** GitHub provenance attestations with SLSA compliance\n- **SBOM:** CycloneDX Software Bill of Materials with OSV vulnerability scanning\n- **Reproducible Builds:** Deterministic builds with hash verification\n- **Hardened CI:** Egress firewall (StepSecurity Harden-Runner), pinned GitHub Actions\n- **Verification Suite:** 60+ automated security tests, cryptographic integrity checks\n- **Runtime Security:** Built-in `verify` command to check attestations after installation\n\n### Distribution Support\n\n**Production-ready platforms with full testing:**\n\n- **Python:** PyPI (pip/uv), pipx, direct .pyz execution\n- **Package Managers:** Homebrew (macOS/Linux), Snap\n- **Windows:** Chocolatey, WinGet, Scoop\n- **Containers:** Docker, OCI registries (GHCR)\n- **Direct:** GitHub Releases\n\n**Configuration templates ready (testing in progress):**\n\n- **Linux:** Flatpak, APT/Debian, RPM/Fedora, AUR/Arch, AppImage, Nix/NixOS\n\n**📊 [Complete Platform Status \u0026 Roadmap](docs/distribution/PLATFORM-STATUS.md)** - Detailed status table with test coverage, workflows, and production readiness for each platform.\n\n### Developer Experience\n\n- **Modern Tooling:** Uses [uv](https://github.com/astral-sh/uv) for fast Python package management\n- **Multiple Build Systems:** Makefile, justfile, Docker, Nix flake\n- **Comprehensive Testing:** Unit tests, integration tests, distribution tests, security tests\n- **Pre-commit Hooks:** Automated code quality checks\n- **CI/CD Ready:** GitHub Actions workflows for PRs, releases, and security scanning\n- **Documentation:** Organized docs with guides for security, testing, and distribution\n\n## Quick Start\n\n### 1. Create Your Repository\n\nClick **\"Use this template\"** on GitHub to create your own repository.\n\n### 2. Install Prerequisites\n\n```bash\n# Python 3.11 or higher\npython --version\n\n# Install uv (fast Python package manager)\ncurl -LsSf https://astral.sh/uv/install.sh | sh\n\n# Optional: Install just (command runner)\nbrew install just  # macOS\n# or: cargo install just\n```\n\n### 3. Customize the Template\n\n**Option A: Interactive Wizard (Recommended)**\n\nRun the initialization wizard to customize the template for your project:\n\n```bash\njust init\n```\n\nOr directly:\n\n```bash\npython3 scripts/init-template.py\n```\n\nThe wizard will interactively prompt you for:\n\n- Package name (Python module)\n- CLI command name\n- GitHub repository owner/name\n- Project metadata (description, author)\n- GitHub secrets for distribution platforms (optional)\n\nIt's **idempotent** - safe to run multiple times and will detect your current configuration.\n\n**Option B: Manual Setup**\n\nAlternatively, use the shell script to replace placeholder values:\n\n```bash\n./scripts/setup_local_config.sh\n```\n\nThis replaces `redoubt-cysec/provenance-demo` with your repository details throughout the codebase.\n\n### 3a. Set Up Development Environment\n\nAfter customizing the template, set up your development environment:\n\n```bash\njust dev-setup\n```\n\nThis will:\n\n- Install development tools (uv, pre-commit)\n- Create virtual environment\n- Install dependencies\n- Set up pre-commit hooks\n\n**Already have tools installed?** Use `just install` to only install the package in development mode.\n\n### 4. Pin GitHub Actions\n\nFor maximum supply chain security, pin all GitHub Actions to specific commit SHAs:\n\n```bash\n# See the guide for detailed instructions\ncat docs/security/GITHUB-ACTION-PINS.md\n```\n\nReplace all `\u003cPINNED_SHA\u003e` placeholders in `.github/workflows/*.yml` files.\n\n### 5. Build and Test\n\n```bash\n# Using just (recommended)\njust build\njust test\njust verify\n\n# Or using uv directly\nuv build\nuv run pytest tests/ -v\n./dist/provenance-demo.pyz --version\n./dist/provenance-demo.pyz verify\n```\n\n### 6. Add Your Application Code\n\nNow that the template is configured, add your application logic:\n\n1. **Add Your Code:** Replace `src/demo_cli/` with your application logic\n2. **Update Tests:** Modify `tests/` to test your code\n3. **Update Documentation:** Customize docs and examples for your project\n4. **Configure Secrets:** (Optional) The `just init` wizard can set these up, or see [Platform Status](docs/distribution/PLATFORM-STATUS.md)\n\nSee the [Developer Guide](docs/contributing/DEVELOPER-GUIDE.md) for detailed development instructions.\n\n### 7. Release\n\n```bash\n# Tag a release\ngit tag v1.0.0 -m \"First release\"\ngit push origin v1.0.0\n\n# GitHub Actions will automatically:\n# - Build deterministic artifacts\n# - Sign with Sigstore/cosign\n# - Generate attestations and SBOM\n# - Run security scans\n# - Create GitHub Release\n# - (Optional) Publish to distribution platforms\n```\n\n## Verification\n\nAll releases include comprehensive security verification with **14 automated checks**:\n\n```bash\n# Download a release\ngh release download v0.0.1-alpha.40 --repo redoubt-cysec/provenance-template\n\n# Run verification (14/14 checks)\nGITHUB_REPOSITORY=redoubt-cysec/provenance-template \\\n  python3 provenance-demo.pyz verify\n```\n\n**Example Output:**\n\n```\n============================================================\n🔐 Verifying provenance-demo.pyz\n============================================================\nVersion: 0.0.1a40\nRepository: redoubt-cysec/provenance-template\n\n✓ Checksum Verification: SHA256 checksum matches release manifest\n✓ Sigstore Signature: Signature verified via Rekor transparency log\n✓ Certificate Identity: Certificate identity verified\n✓ Rekor Transparency Log: Rekor transparency log entry verified\n✓ GitHub Attestation: GitHub attestation verified\n✓ SBOM Attestation: SBOM attestation verified\n✓ SBOM Verification: Valid SBOMs in 2 format(s)\n✓ OSV Vulnerability Scan: No known vulnerabilities found\n✓ SLSA Provenance: SLSA provenance attestation verified\n✓ Build Environment: Build environment verified from SLSA provenance\n✓ Reproducible Build: Reproducible build verified\n✓ Artifact Metadata: Artifact metadata verified\n✓ License Compliance: License check passed\n✓ Dependency Pinning: All dependencies pinned to specific versions\n\n============================================================\nSummary: ✓ 14/14 checks passed\n============================================================\n```\n\nSee [VERIFICATION-EXAMPLE.md](docs/security/VERIFICATION-EXAMPLE.md) for detailed explanation of each check.\n\n## Example Usage\n\nThe template includes a demo CLI to show how everything works:\n\n```bash\n# Build the demo\njust build\n\n# Run the demo\n./dist/provenance-demo.pyz --version\n./dist/provenance-demo.pyz hello \"World\"\n./dist/provenance-demo.pyz verify\n```\n\nReplace the demo code in `src/demo_cli/` with your own application.\n\n## Documentation\n\n**📚 [Complete Documentation Index](docs/README.md)** - Comprehensive guide to all documentation\n\n### Getting Started\n\n- [Quick Start Guide](QUICK-START.md) - Get up and running in 5 minutes\n- [Developer Guide](docs/contributing/DEVELOPER-GUIDE.md) - Customize the template for your project\n- [Release Checklist](docs/contributing/RELEASE-CHECKLIST.md) - Pre-release verification steps\n\n### Security\n\n- [Supply Chain Security](docs/security/SUPPLY-CHAIN.md) - Verify releases with attestations\n- [Verification Example](docs/security/VERIFICATION-EXAMPLE.md) - Hands-on verification walkthrough\n- [Security Testing](docs/security/SECURITY-TESTING.md) - Details on 60+ security tests\n- [Security Checklist](docs/security/COMPLETE-SECURITY-CHECKLIST.md) - Complete security validation\n- [GitHub Action Pinning](docs/security/GITHUB-ACTION-PINS.md) - Pin Actions to commit SHAs\n- [Security Policy](docs/security/SECURITY.md) - Vulnerability disclosure and reporting\n\n### Testing\n\n- [Testing Strategy](docs/testing/TESTING-STRATEGY.md) - Three-phase testing approach\n- [Integration Testing](docs/testing/INTEGRATION-TESTING.md) - VM and container testing\n- [Testing Approaches](docs/testing/TESTING-APPROACHES.md) - Comparison of testing methods\n- [Testing Comparison](docs/testing/TESTING-APPROACHES-COMPARISON.md) - Detailed comparison table\n\n### Distribution\n\n- [Quick Start Guides](docs/distribution/quickstart/README.md) - Platform-specific installation guides (10 platforms)\n- [Platform Status](docs/distribution/PLATFORM-STATUS.md) - Complete platform readiness \u0026 testing status\n- [Platform Support](docs/distribution/PLATFORM-SUPPORT.md) - Installation on 18+ platforms\n- [Publishing Guide](docs/distribution/PUBLISHING-GUIDE.md) - Publish to registries\n- [Distribution Platforms](docs/distribution/distribution_platforms.md) - Platform-specific details\n\n### Contributing\n\n- [Contributing Guide](docs/contributing/CONTRIBUTING.md) - How to contribute to this project\n- [Pre-Release Checklist](docs/contributing/PRE-RELEASE-CHECKLIST.md) - Critical checks before release\n\n## Features\n\n### Automated Security Pipeline\n\n- **Deterministic Builds:** Reproducible artifacts with hash verification\n- **Keyless Signing:** Sigstore/cosign integration (no private keys to manage)\n- **Attestations:** GitHub provenance with SLSA compliance\n- **SBOM Generation:** CycloneDX format with dependency tracking\n- **Vulnerability Scanning:** OSV database integration for known vulnerabilities\n- **Hardened Workflows:** StepSecurity Harden-Runner with network egress control\n- **Pinned Dependencies:** All GitHub Actions pinned to commit SHAs\n- **Rebuilder Workflow:** Verify reproducibility automatically\n\n### Comprehensive Testing\n\n- **178 Security Tests:** Cryptographic integrity, pipeline configuration, runtime security (far exceeds 60+ claimed)\n- **Distribution Testing:** Phase 1 validation (16 platforms) + Phase 2 integration (10 platforms)\n- **Platform Coverage:** 48 Phase 1 tests + 8 Phase 2 integration tests\n- **Meta-Test Enforcement:** Ensures all distribution tests verify attestations\n- **Integration Tests:** VM-based testing with Multipass (Ubuntu, macOS)\n- **Coverage Tracking:** 100% coverage of critical security paths\n\n### Multi-Platform Distribution\n\n**Production-ready with automated workflows (10 platforms):**\n\n- PyPI (pip/uv), pipx, GitHub Releases, direct .pyz\n- Homebrew (macOS/Linux), Snap, Docker/OCI\n- Chocolatey, WinGet, Scoop (Windows)\n\n**Configuration templates in `packaging/` directory (6 platforms):**\n\n- Flatpak, APT/Debian, RPM/Fedora, AUR/Arch, AppImage, Nix/NixOS\n\n**Status:** See [PLATFORM-STATUS.md](docs/distribution/PLATFORM-STATUS.md) for complete details on each platform's readiness, testing coverage, and automation status.\n\n## Project Status\n\n**Production Ready:** This template powers real-world secure releases and has been battle-tested with:\n\n- ✅ 178 security tests passing (100% pass rate)\n- ✅ 10 production platforms fully tested with Phase 2 integration tests\n- ✅ 6 platforms with Phase 1 validation and configuration templates\n- ✅ Zero security test failures\n- ✅ Reproducible builds verified\n- ✅ All supply chain security best practices implemented\n- ✅ Complete documentation and testing guides\n\n## Who This Is For\n\n- **CLI Tool Developers:** Building Python command-line applications\n- **Security-Conscious Teams:** Need supply chain security compliance (SLSA, SBOM)\n- **Open Source Maintainers:** Want professional release automation\n- **Enterprise Projects:** Require cryptographic verification and attestations\n- **Multi-Platform Publishers:** Need to distribute across many platforms\n\n## Requirements\n\n- **Python:** 3.11 or higher\n- **uv:** Fast Python package installer ([installation](https://github.com/astral-sh/uv))\n- **Git:** Version control\n- **GitHub:** For Actions, attestations, and releases\n- **Optional:** just, Docker, Multipass (for testing)\n\n## Contributing\n\nWe welcome contributions! See [CONTRIBUTING.md](docs/contributing/CONTRIBUTING.md) for:\n\n- Code of conduct\n- Development setup\n- Testing guidelines\n- Pull request process\n- Release procedures\n\n## License\n\nMIT License - see [LICENSE](LICENSE) for details.\n\n## Acknowledgments\n\nBuilt with modern security best practices:\n\n- [Sigstore](https://www.sigstore.dev/) for keyless signing\n- [SLSA](https://slsa.dev/) for supply chain security framework\n- [CycloneDX](https://cyclonedx.org/) for SBOM generation\n- [OSV](https://osv.dev/) for vulnerability scanning\n- [StepSecurity](https://www.step-security.io/) for CI/CD hardening\n- [uv](https://github.com/astral-sh/uv) for fast Python tooling\n\n## Support\n\n- **Issues:** [GitHub Issues](https://github.com/redoubt-cysec/provenance-template/issues)\n- **Discussions:** [GitHub Discussions](https://github.com/redoubt-cysec/provenance-template/discussions)\n- **Security:** See [SECURITY.md](SECURITY.md) for vulnerability reporting\n\n---\n\n**Start building secure Python CLIs today.** Click \"Use this template\" to get started.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredoubt-cysec%2Fprovenance-template","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fredoubt-cysec%2Fprovenance-template","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredoubt-cysec%2Fprovenance-template/lists"}