Evidence Manifest (Release Candidate)
Release Candidate
- Service/Image: _______________________________
- Tag/Digest: _________________________________
- Build ID / Commit: __________________________
- Date: _______________________________________
Artifacts (paths under ./artifacts/)
- SBOM:
sbom.json/sbom-image.json(signed bundle:sbom.bundle) - SCA (image):
trivy-image.json - SAST:
semgrep.json - Secrets:
trufflehog.json - IaC:
checkov.json - Dockerfile lint:
hadolint.txt - K8s config:
kube-linter.sarif,kube-score.txt - Policies:
policy-apply.txt,policy-tests.txt - DAST:
zap/report.html,zap/report.json - Runtime (optional):
falco-last10m.log - Cosign (image/SBOM):
image-digest.txt,image-digest.bundle,cosign-verify*.txt
Gates Summary
- Secrets (verified): Pass / Fail — Notes: ______________________
- SAST (H/C curated): Pass / Fail — Notes: ______________________
- IaC (high-risk): Pass / Fail — Notes: _________________________
- SCA (Crit, High w/ fix): Pass / Fail — Notes: _________________
- Licenses: Pass / Warn / Fail — Notes: _________________________
- Admission readiness: Pass / Fail — Notes: _____________________
Exceptions
- IDs & Expiry: _________________________________________________
- Compensating controls: ________________________________________
Review & Sign-off
- Reviewer (Security): ____________ Date: _________
- Reviewer (Ops): ____________ Date: _________
- Reviewer (Eng): ____________ Date: _________