Core concepts

Deterministic evidence engine

With input artifacts and run context (including --as-of) pinned, SBOMFlow produces stable identifiers, content hashes, and byte-reproducible release artifacts. Opt-in operational phase durations are excluded from determinism checks. This is what makes an evidence record re-checkable and diffable.

Product and release identity

Evidence is anchored to a product, a declared product class, and a specific release/version. Identity is what lets decisions and drift be compared release to release.

Provenance and hashing

Every input file is hashed (SHA-256). Every release decision traces back to the exact bytes it was made from. Provenance is always recorded.

Warnings vs errors

  • Errors stop a command and return a stable exit code and error code with a fix.
  • Warnings never silently drop input. Malformed or unsupported inputs surface a warning (in scan-warnings.json) rather than being ignored. Under analyze --strict warnings can be promoted to a distinct exit code.

Release gate and policies

A release gate evaluates manufacturer-selected policy (--fail-on-* flags or a named policy profile). With no policy, the gate is informational (exit 0). The gate is an engineering control, not a compliance decision.

Evidence lifecycle and decision memory

Reviewer decisions, VEX justifications, and prior determinations are recorded and can be surfaced on later releases as context. Release drift compares engineering artifacts across releases. Both are context, never an automatic decision.

The reviewer boundary

Read Observed vs reviewed — the single most important concept in SBOMFlow.