Application Provenance
Build provenance and attestations for the LinnemanLabs web server binary
Provenance for the currently running server binary - source information, build attestations, vulnerability scans, SBOMs, licensing, and container metadata. The application is a custom Go binary built with security and observability as primary concerns.
Source: linnemanlabs-web on GitHub
Source: build-system on GitHub
This page currently covers application-level provenance. I’m working toward extending attestations down through the full trust hierarchy - OS-level integrity (IMA/EVM), dm-verity verified filesystems, kernel lockdown, UEFI Secure Boot, and TPM-based hardware attestation - so that every layer is cryptographically anchored to the one below it.
Application Loading...
Track: — · Built —
—
Gate: —
Build
Source
Builder
Signing
Method
—
Key Reference
—
Signed Artifacts
Artifacts
Index
Inventory
Release
Attestations
—
Total
—
Source
—
Artifact
Attested Categories
SBOM
Scan
License
Policy
Enforcement
—
Inventory signature
Subject signatures
Evidence Requirements
SBOM
Scan
License
Provenance
Attestations
Vulnerability Gating
Block On
Allow if VEX
—
License Policy
Allowed Licenses
Denied Licenses
Unknown licenses: —
Vulnerabilities
—
Critical
—
High
—
Medium
—
Low
—
Negligible
—
Unknown
Total
—
Worst Severity
—
Gate Result
—
(threshold: —)
Scope
—
Deduplication
—
Scanned At
—
Scanners
Per-Scanner Results
Show findings Hide findings
Software Bill of Materials
Source Packages
—
Artifact Packages
—
Generators
Formats Produced
Generated At
—
Show all packages Hide packages
Licenses
—
Licenses Found
Denied Licenses Found
None
Packages Without License
—
Show packages by license Hide packages by license
Evidence
—
Evidence Files
Completeness
SBOM (source)
SBOM (artifacts)
Scan (source)
Scan (artifacts)
License (source)
License (artifacts)
Attestations
Categories
Artifacts
Binary
Platform
—
Size
—
SHA256
—
Container
Repository
—
Tag
—
Pushed At
—
Digest
—
Digest Reference
—
Media Type
—
Artifact Type
—