I don't just write the tool. Every version goes through a compliance gauntlet I built, with pass/fail criteria and evidence artifacts, before it ships.
A deterministic security regression suite that runs against a specific source version and produces a verdict plus evidence. Stages are mapped to NIST SSDF, OWASP ASVS, and CIS Controls, with a per-version control-mapping document. Real results from the v464 release gate:
| Stage | Tooling | Result | Findings |
|---|---|---|---|
| SAST | Bandit + Semgrep | PASS | 0 HIGH · 47 MEDIUM triaged · 48 LOW |
| Dependency audit (SCA) | pip-audit / OSV | PASS | 0 advisories across 8 pinned deps |
| Secret scanning | gitleaks + custom Tenable-key patterns | PASS | 0 leaks across the tree |
| License audit | pip-licenses | PASS | 26 packages, 0 denied, 0 unknown |
| SBOM | CycloneDX 1.6 | PASS | 8 components, shipped with release |
| Data-at-rest probe | custom (perms, plaintext secrets, integrity tags) | PASS | 0 findings across 45 state files |
| Binary scan · reproducibility · signing verify | post-build stages | gated on binary build | run at packaging time, not source gate |
evidence: compliance/evidence/<version>/ · verdict file: GAUNTLET_SUMMARY.md · first run surfaced and fixed 3 issue classes before the PASS was declared — including SEC-001, a create-then-chmod race on the API credential file, fixed by creating it 0600 from the first syscall
Hash-chained logs catch casual edits. For insider-grade tampering — an attacker who can rewrite the whole log and recompute every hash — I implemented the primitives that back Certificate Transparency and modern supply-chain attestation, and tested them against the specs' own vectors:
code: ticket_time_machine/transparency.py · provenance.py · 50+ dedicated tests · runbook: production/SIGN_RELEASE_LINUX_RUNBOOK.md
The project ships with a real SECURITY.md: private reporting channel, acknowledgment
within 3 business days, reproduction within 7, patch within 30 calendar days for HIGH/CRITICAL
findings and 90 otherwise, reporter credit in release notes, and a stated threat model covering the
API connection, credential storage, state files, audit log, and signing chain. Only the latest
release line is patched; older lines are retained for forensic purposes and marked unsupported.