Security Policy

Reporting a Vulnerability

If you discover a security vulnerability within this project, please send an e-mail to tiago.peczenyj+cpan@gmail.com.

All security vulnerabilities will be promptly addressed. We request that you do not report security-related issues through public GitHub issues.

Supply Chain Security

This project targets SLSA Build Level 1. Every release produces signed build provenance — a document describing how each artifact was built — generated by the Release GitHub Actions workflow and stored in GitHub's attestation store.

Provenance is generated for both published artifacts:

the CPAN distribution tarball (GDPR-IAB-TCFv2-*.tar.gz), and
the Docker image (docker.io/peczenyj/GDPR-IAB-TCFv2).

Verifying provenance

With the GitHub CLI installed, you can verify that an artifact was built by this repository's release workflow:

# CPAN distribution tarball (downloaded from the GitHub Release)
gh attestation verify GDPR-IAB-TCFv2-X.Y.tar.gz --repo peczenyj/GDPR-IAB-TCFv2

# Docker image
gh attestation verify oci://docker.io/peczenyj/GDPR-IAB-TCFv2:vX.Y --repo peczenyj/GDPR-IAB-TCFv2

Replace X.Y with the release version.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

Security Policy

Reporting a Vulnerability

Supply Chain Security

Verifying provenance

Keyboard Shortcuts