Trust
Security & Trust Center
One place for the evidence enterprise teams need to evaluate StreetJS — supply-chain integrity, security posture, and governance. Every item below links to a verifiable artifact.
StreetJS is built for teams that have to answer security questionnaires. The framework ships with a native-driver, dependency-light core (3 runtime dependencies) and a signed plugin model, and every release is produced with provenance attestations and a software bill of materials.
Supply-chain integrity
| Signal | What it proves | Where |
|---|---|---|
| npm provenance | Each published package is built from this repo by CI, with a signed attestation | npm: streetjs |
| CycloneDX SBOM | A per-release software bill of materials is generated and committed | sbom.json · generator |
| Cosign release signing | Release blobs are keyless-signed with Sigstore (no long-lived key) | ci-cd.yml |
| OpenSSF Scorecard | Automated supply-chain best-practice scoring | Scorecard · workflow |
| CodeQL | Static analysis on every push | Code scanning · workflow |
| Secret scanning | CI fails on committed secrets (Gitleaks + TruffleHog) | secret-scan.yml |
| Dependency review | PRs are blocked on high-severity dependency advisories | dependency-review.yml |
| DAST | Dynamic application security testing in CI | dast.yml |
| Signed plugins | Ed25519-signed manifests verified by the plugin host before load | Plugin system |
| 3 runtime dependencies | Minimal third-party attack surface (reflect-metadata, ws, zod) |
package.json · sbom.json |
Security posture
- Security policy & disclosure — SECURITY.md
- Threat model — documented attacker model and mitigations — THREAT-MODEL.md
- Compliance control mappings — feature-to-control mappings for SOC 2, HIPAA, GDPR, PCI-DSS (capabilities vs operator responsibilities) — control-mappings.md
- Built-in protections — JWT, AES-256-GCM sessions, scrypt vault, sliding-window rate limiting, XSS sanitizer, CSRF, CORS, CSP, parameterized queries, SCRAM-SHA-256 database auth, bounded memory on every component.
Governance & process
| Area | Document |
|---|---|
| Project governance | GOVERNANCE.md |
| Contributing | CONTRIBUTING.md |
| Code of conduct | CODE_OF_CONDUCT.md |
| RFC process | rfcs/ |
| Release process | Versioned, provenance-signed, lockstep-verified v*.*.* tags |
| Support windows | LTS policy · Compatibility matrix |
Enterprise adoption checklist
- OSI-approved license (MIT)
- SBOM available per release (CycloneDX)
- Build provenance / attestations (npm) + cosign release signing (Sigstore)
- Automated security scanning (CodeQL, OpenSSF, secret scanning, dependency review, DAST)
- Documented security disclosure policy + threat model
- Compliance control mappings (SOC 2, HIPAA, GDPR, PCI-DSS)
- Self-hostable — no mandatory managed services or external calls
- Audit-log primitives (see the SaaS starter)
- Defined support windows (LTS policy)
All claims on this page are evidence-based and link to a verifiable artifact. Found a gap? Open a security advisory.