Compliance & Audit

This section provides auditor-facing compliance evidence for container images built by wellmaintained/packages.

Methodology

All container images are built using Nix for full reproducibility. The build pipeline generates compliance artifacts alongside every image:

1. CycloneDX SBOMs — complete software bills of materials
2. sbomqs quality scores — SBOM completeness and quality ratings
3. Vulnerability reports — CVE scanning results
4. License summaries — dependency license analysis

Resources

• Audit Evidence Pack — downloadable evidence bundles for GRC tools
• Vulnerability Remediation SLA — remediation timelines by severity
• Vulnerability Status — latest scan results per image
• VEX Statements — triage decisions for reported CVEs
• sbomify Trust Centre — machine-readable compliance data via TEA API