Core concepts
Deterministic evidence engine
With input artifacts and run context (including --as-of) pinned, SBOMFlow produces stable identifiers, content hashes, and byte-reproducible release artifacts. Opt-in operational phase durations are excluded from determinism checks. This is what makes an evidence record re-checkable and diffable.
Product and release identity
Evidence is anchored to a product, a declared product class, and a specific release/version. Identity is what lets decisions and drift be compared release to release.
Provenance and hashing
Every input file is hashed (SHA-256). Every release decision traces back to the exact bytes it was made from. Provenance is always recorded.
Warnings vs errors
- Errors stop a command and return a stable exit code and error code with a fix.
- Warnings never silently drop input. Malformed or unsupported inputs surface a warning (in
scan-warnings.json) rather than being ignored. Underanalyze --strictwarnings can be promoted to a distinct exit code.
Release gate and policies
A release gate evaluates manufacturer-selected policy (--fail-on-* flags or a named policy profile). With no policy, the gate is informational (exit 0). The gate is an engineering control, not a compliance decision.
Evidence lifecycle and decision memory
Reviewer decisions, VEX justifications, and prior determinations are recorded and can be surfaced on later releases as context. Release drift compares engineering artifacts across releases. Both are context, never an automatic decision.
The reviewer boundary
Read Observed vs reviewed — the single most important concept in SBOMFlow.