Security & Supply Chain

Overview

sqry takes a defense-in-depth approach to build security and supply chain integrity. Public release artifacts are checksummed and covered by release-wide Sigstore DSSE attestation metadata. Dependencies are audited continuously, and the query parser is fuzzed on every PR.

Signed Builds & Provenance

Every public release ships with Sigstore keyless attestation metadata. No long-lived signing keys are used; release provenance flows through GitHub OIDC.

Current releases publish:

The install scripts verify checksums by default. The VS Code extension downloader verifies the release-wide DSSE attestation bundle, then binds the selected binary to the release manifest and SHA256 subject digest before accepting it.

Release Transparency

The current public release asset set is the authoritative source for downloadable artifacts: binaries, VSIX, SHA256SUMS.txt, release-manifest.json, the release ledger, and the release-wide DSSE attestation bundle. Do not assume SBOM, VEX, or vulnerability-scan files are present unless they appear in that release’s asset list.

Dependency Auditing

Every dependency is audited via cargo-vet with imports from Mozilla, Google, and Bytecode Alliance. cargo-deny enforces license policy and CVE checks on every commit.

Continuous Fuzzing & UB Detection

The query parser is fuzzed on every PR and in extended nightly runs with AddressSanitizer. Miri checks for undefined behavior weekly. Malformed input tests cover the language parser suite.

Mutation Testing & Coverage

Weekly mutation testing via cargo-mutants validates that tests catch real bugs, not just pass. LLVM-based code coverage with enforced thresholds. Clippy with zero-warning policy across all platforms.

Unsafe Code Tracking

Weekly cargo-geiger audits track every unsafe block across all crates. Quarterly security audits combine RustSec advisory checks, license enforcement, and supply chain verification.

Edit this page on GitHub →