Supply Chain Security

Railguard Trust Center

Cryptographically verifiable software supply chain with independent audit trails

SLSA Level 3Cosign SignedSBOM Included
Download Trust Center DocsVerify Latest Release

Overview

Railguard is shipped through a unified, signed release pipeline. Every version has:

  • Cryptographic signatures (Cosign with keyless GitHub OIDC)
  • Software Bill of Materials (SBOM) for every service in SPDX format
  • Complete provenance traceable to specific git commits and workflow runs
  • Independent verification using open-source tools

Our release process is designed to be provable, not just “trust us.”

How Releases Work

┌─────────────────────────────────────────────┐
│ Platform Tag: platform/v3.1.1 │
│ ↓ │
│ ┌─────────────────────────────┐ │
│ │ 1. Run Tests │ │
│ └───────────┬─────────────────┘ │
│ ↓ │
│ ┌─────────────────────────────┐ │
│ │ 2. Build & Sign Release │ │
│ │ • Build containers │ │
│ │ • Cosign signatures │ │
│ │ • Generate SBOMs │ │
│ │ • Create GitHub release │ │
│ │ • Validate artifacts │ │
│ └─────────────────────────────┘ │
│ │
│ Result: Signed images + SBOMs + manifest │
└─────────────────────────────────────────────┘

Fast Track

For development and staging environments

  • develop → tests → deploy-dev
  • main → tests → deploy-staging
  • • Optimized for iteration speed

Heavy Freight

For production-ready releases

  • platform/v*.*.* → full build & sign
  • • Creates public GitHub releases
  • • Optimized for integrity and auditability

Single Workflow: Both paths run through one workflow (.github/workflows/platform-release.yml) — no configuration drift, one audit trail.

Cryptographic Verification

You can verify our latest release right now using these commands:

Install Cosign (one-time setup)

brew install cosign

Verify Gateway service

cosign verify ghcr.io/railguardai/railguard-gateway/gateway:v3.1.1 \
  --certificate-identity-regexp='^https://github.com/RailguardAI/railguard-gateway' \
  --certificate-oidc-issuer='https://token.actions.githubusercontent.com'

Verify API service

cosign verify ghcr.io/railguardai/railguard-gateway/api:v3.1.1 \
  --certificate-identity-regexp='^https://github.com/RailguardAI/railguard-gateway' \
  --certificate-oidc-issuer='https://token.actions.githubusercontent.com'

What This Proves

  • Built by GitHub Actions (not a developer laptop)
  • Official RailguardAI repository (certificate subject matches)
  • Specific workflow run (traceable to exact execution)
  • Cryptographically unforgeable (OIDC certificate chain validates to GitHub root CA)

SBOM & Transparency

Every Railguard release includes Software Bills of Materials (SBOM) for all services:

  • gateway.spdx.json — Complete dependency list for Gateway service
  • api.spdx.json — Complete dependency list for API service
  • SPDX format (industry standard, machine-readable)

For Security Teams

  • • Scan for known vulnerabilities (CVEs)
  • • Track third-party dependencies
  • • Identify outdated components

For Compliance

  • • Executive Order 14028 (federal)
  • • SOC 2 Type II evidence
  • • ISO 27001 asset inventory

For Risk Management

  • • Supply chain exposure
  • • Licensing obligations
  • • Plan dependency updates

Download & Inspect

# Download v3.1.1 artifacts
gh release download v3.1.1 -R RailguardAI/railguard-gateway

# Inspect Gateway SBOM
cat gateway.spdx.json | jq '.packages[] | {name, version, supplier}'

# Scan for vulnerabilities (example with Grype)
grype sbom:gateway.spdx.json

Compliance Mapping

FrameworkRailguard Implementation
SLSA Level 3Scripted builds, signed provenance, isolated build environments
NIST SSDFSupply chain security controls, SBOM generation, signature verification
SOC 2 Type IIAudit logging, access controls, deployment gating, change management
ISO 27001Asset management (SBOMs), cryptographic controls, incident response
FedRAMPContinuous monitoring, configuration management, incident response

Evidence Available: Complete release dossiers, workflow execution logs, cryptographic signatures, SBOM files, and security control documentation (63-point checklist).

Security & Diligence Requests

For CISOs & Security Reviewers

Need detailed documentation for security reviews or vendor assessments?

  • 📄 Trust Center Release Process
  • 📄 Platform v3.1.1 Release Dossier
  • 📄 Security Controls Inventory (63-point checklist)
  • 📄 Compliance Framework Mapping
Contact Security Team →

For Investors & Partners

Conducting technical due diligence or integration planning?

  • 📄 Unified Pipeline Architecture
  • 📄 Release Pattern Guide
  • 📄 Platform v3.1.1 Verification Instructions
Contact Partnerships →

For RFP Responses

Answering a security questionnaire or RFP? We provide pre-written responses, evidence packages, and verification instructions.

Request RFP Package

Quick Links

View Latest ReleaseDownload Trust Center DocsVerify Container SignaturesRelease HistoryRead Blog Post

Supply Chain v1.0 achieved on November 30, 2025 (PR #405)

Platform v3.1.1 — First fully validated release with complete documentation

Trust Center | Railguard AI | Railguard AI