2,669 components, public, signed, audited.
Every FlyttGo module ships a CycloneDX 1.6 SBOM at release. Sigstore-signed, SLSA L3 build provenance attached, CVE-cross-referenced every six hours. Most platform vendors keep this internal — making it public is the procurement floor.
- Modules8
- Components total2,669
- Critical CVEs · open0
- High CVEs · open0
Four floors procurement teams expect.
- SB.PR.01
CycloneDX 1.6 per release
Every release of every module emits a CycloneDX 1.6 SBOM at build time. Spec-conformant, machine-readable, ingestible by Dependency-Track, GitHub Dependabot, OWASP Defectdojo and any compliant scanner.
- SB.PR.02
Sigstore-signed artefacts
Container images, release archives and the SBOM itself are Cosign-signed. Tenants can require signature verification at admission via the platform-policy API; the signing key chain is published alongside the SBOM.
- SB.PR.03
SLSA Build Level 3 provenance
Hosted-builder SLSA L3 — provenance attestation states which source revision, which builder, which build steps produced the artefact. Stops a compromised dev laptop from producing a published artefact.
- SB.PR.04
CVE cross-reference + auto-revoke
SBOMs are cross-referenced against the OSV.dev and NVD vulnerability databases on every release and every 6 hours thereafter. New high or critical CVE on a published artefact triggers an automated revocation channel + customer notification.
Eight modules, current release per row.
- SB.TRTransifyv1.14.7released 2026-04-30384 componentsNo high/critical CVEsTop dependenciesnext@14.2postgres@16.2redis@7.2opentelemetry@1.26AttestationsSLSA L3SigstoreCycloneDX 1.6
- SB.WKWorkvergev1.09.3released 2026-04-22312 componentsNo high/critical CVEsTop dependenciesnext@14.2postgres@16.2opentelemetry@1.26pg-boss@9.0AttestationsSLSA L3SigstoreCycloneDX 1.6
- SB.CVCivitasv1.18.0released 2026-04-14421 componentsNo high/critical CVEsTop dependenciesnext@14.2postgres@16.2redis@7.2opentelemetry@1.26AttestationsSLSA L3SigstoreCycloneDX 1.6
- SB.EDEduProv1.11.5released 2026-04-07298 componentsNo high/critical CVEsTop dependenciesnext@14.2postgres@16.2opentelemetry@1.26kafka@3.7AttestationsSLSA L3SigstoreCycloneDX 1.6
- SB.IDIdentrav1.22.1released 2026-03-18256 componentsNo high/critical CVEsTop dependenciesnext@14.2postgres@16.2jose@5.9opentelemetry@1.26AttestationsSLSA L3SigstoreCycloneDX 1.6eIDAS-aligned
- SB.PVPayverav1.19.4released 2026-04-30412 componentsNo high/critical CVEsTop dependenciesnext@14.2postgres@16.2redis@7.2iso20022-tools@2.4AttestationsSLSA L3SigstoreCycloneDX 1.6PSD2-aligned
- SB.LDLedgerav1.06.2released 2026-04-04219 componentsNo high/critical CVEsTop dependenciesnext@14.2postgres@16.2opentelemetry@1.26kafka@3.7AttestationsSLSA L3SigstoreCycloneDX 1.6
- SB.MPFlyttGo Marketplacev1.07.8released 2026-04-22367 componentsNo high/critical CVEsTop dependenciesnext@14.2postgres@16.2redis@7.2transify-sdk@1.14AttestationsSLSA L3SigstoreCycloneDX 1.6
CVE counts refresh every six hours. Each download link returns the current CycloneDX 1.6 JSON with attached signatures and provenance manifest. Older releases archived under /sbom/{module}/{version}.
SBOM is the floor for every other trust artefact.
A public SBOM is a procurement starting point — not the destination. The four pathways below take a security review from this registry to a signed engagement.
- OS.00
Open standards
CycloneDX 1.6, SLSA L3, Sigstore, OpenSSF Scorecard — every standard the supply-chain posture inherits.
OS.00 · 33 standards - PQ.00
Post-quantum
Code-signing keys are migrating to ML-DSA hybrid; SBOM-signing follows.
PQ.00 · 8 surfaces - TC.00
Trust artefacts
SOC 2, ISO 27001, DPA, subprocessors, vulnerability disclosure.
TC.00 · 8 artefacts - CB.00
Open security review
Routed under CT.01 platform architecture session — security-led scoping.
CT.01 · CB.00