Trust

Security & Trust Center

One place for the evidence enterprise teams need to evaluate StreetJS — supply-chain integrity, security posture, and governance. Every item below links to a verifiable artifact.

StreetJS is built for teams that have to answer security questionnaires. The framework ships with a native-driver, dependency-light core (3 runtime dependencies) and a signed plugin model, and every release is produced with provenance attestations and a software bill of materials.

Supply-chain integrity

Signal What it proves Where
npm provenance Each published package is built from this repo by CI, with a signed attestation npm: streetjs
CycloneDX SBOM A per-release software bill of materials is generated and committed sbom.json · generator
Cosign release signing Release blobs are keyless-signed with Sigstore (no long-lived key) ci-cd.yml
OpenSSF Scorecard Automated supply-chain best-practice scoring Scorecard · workflow
CodeQL Static analysis on every push Code scanning · workflow
Secret scanning CI fails on committed secrets (Gitleaks + TruffleHog) secret-scan.yml
Dependency review PRs are blocked on high-severity dependency advisories dependency-review.yml
DAST Dynamic application security testing in CI dast.yml
Signed plugins Ed25519-signed manifests verified by the plugin host before load Plugin system
3 runtime dependencies Minimal third-party attack surface (reflect-metadata, ws, zod) package.json · sbom.json

Security posture

  • Security policy & disclosureSECURITY.md
  • Threat model — documented attacker model and mitigations — THREAT-MODEL.md
  • Compliance control mappings — feature-to-control mappings for SOC 2, HIPAA, GDPR, PCI-DSS (capabilities vs operator responsibilities) — control-mappings.md
  • Built-in protections — JWT, AES-256-GCM sessions, scrypt vault, sliding-window rate limiting, XSS sanitizer, CSRF, CORS, CSP, parameterized queries, SCRAM-SHA-256 database auth, bounded memory on every component.

Governance & process

Area Document
Project governance GOVERNANCE.md
Contributing CONTRIBUTING.md
Code of conduct CODE_OF_CONDUCT.md
RFC process rfcs/
Release process Versioned, provenance-signed, lockstep-verified v*.*.* tags
Support windows LTS policy · Compatibility matrix

Enterprise adoption checklist

  • OSI-approved license (MIT)
  • SBOM available per release (CycloneDX)
  • Build provenance / attestations (npm) + cosign release signing (Sigstore)
  • Automated security scanning (CodeQL, OpenSSF, secret scanning, dependency review, DAST)
  • Documented security disclosure policy + threat model
  • Compliance control mappings (SOC 2, HIPAA, GDPR, PCI-DSS)
  • Self-hostable — no mandatory managed services or external calls
  • Audit-log primitives (see the SaaS starter)
  • Defined support windows (LTS policy)

All claims on this page are evidence-based and link to a verifiable artifact. Found a gap? Open a security advisory.