Redaction contract

This page is generated from the share-profile contracts in the code (reporting/bundle.py), so "exactly what leaves my machine in a shared pack?" is answered with the code's own truth, not a hand-written promise that could drift. A sharing pack copies a redacted subset of the manufacturer's engineering evidence; it adds no authority and is not a declaration of CRA conformity.

Always redacted (every profile)

These internal fields are excluded from every sharing pack and the export is validator-checked so they cannot leak:

  • reviewer_notes
  • reviewer_identities
  • per_requirement_rationale
  • evidence_gap_recommendations
  • advisory_finding_details
  • internal_source_artifact_paths
  • build_provenance_internal_fields
  • absolute_paths_and_internal_layout
  • local_usernames_and_hostnames
  • environment_values_and_credentials
  • private_repository_urls

Always included

Only the redacted SBOM projections are copied into a pack — never the canonical SBOMs or the raw evidence pack:

  • shared-cyclonedx-sbom.json
  • shared-spdx-sbom.json
  • shared-spdx3-sbom.json

Per-profile contracts

Choose a profile with --share-profile. Each embeds its own purpose and allowlist/redaction contract.

importer

Downstream importer composition and release-evidence handoff.

Included artifacts:

  • shared-cyclonedx-sbom.json
  • shared-spdx-sbom.json
  • shared-spdx3-sbom.json

Redacted fields:

  • reviewer_notes
  • reviewer_identities
  • per_requirement_rationale
  • evidence_gap_recommendations
  • advisory_finding_details
  • internal_source_artifact_paths
  • build_provenance_internal_fields
  • absolute_paths_and_internal_layout
  • local_usernames_and_hostnames
  • environment_values_and_credentials
  • private_repository_urls

No-claim framing:

  • This is an evidence-sharing pack for a downstream economic operator (importer/distributor): a redacted subset of the manufacturer's engineering evidence.
  • It is not legal advice and not a declaration of CRA conformity; it does not establish the manufacturer's or the recipient's conformity.
  • Sharing adds no authority. The recipient remains responsible for their own obligations and for reviewing this evidence.
  • Any referenced declaration is an unsigned draft; SBOMFlow never files, transmits, or signs regulatory reports.
  • No network is used to build this sharing pack.

distributor

Downstream distributor composition and release-evidence handoff.

Included artifacts:

  • shared-cyclonedx-sbom.json
  • shared-spdx-sbom.json
  • shared-spdx3-sbom.json

Redacted fields:

  • reviewer_notes
  • reviewer_identities
  • per_requirement_rationale
  • evidence_gap_recommendations
  • advisory_finding_details
  • internal_source_artifact_paths
  • build_provenance_internal_fields
  • absolute_paths_and_internal_layout
  • local_usernames_and_hostnames
  • environment_values_and_credentials
  • private_repository_urls

No-claim framing:

  • This is an evidence-sharing pack for a downstream economic operator (importer/distributor): a redacted subset of the manufacturer's engineering evidence.
  • It is not legal advice and not a declaration of CRA conformity; it does not establish the manufacturer's or the recipient's conformity.
  • Sharing adds no authority. The recipient remains responsible for their own obligations and for reviewing this evidence.
  • Any referenced declaration is an unsigned draft; SBOMFlow never files, transmits, or signs regulatory reports.
  • No network is used to build this sharing pack.

customer

Customer-facing security-posture summary for a customer's supplier security review: product identity, the shared SBOM subset, workflow-completeness facts, and the release-gate outcome, with advisory-finding and evidence-gap details redacted by default.

Included artifacts:

  • shared-cyclonedx-sbom.json
  • shared-spdx-sbom.json
  • shared-spdx3-sbom.json

Redacted fields:

  • reviewer_notes
  • reviewer_identities
  • per_requirement_rationale
  • evidence_gap_recommendations
  • advisory_finding_details
  • internal_source_artifact_paths
  • build_provenance_internal_fields
  • absolute_paths_and_internal_layout
  • local_usernames_and_hostnames
  • environment_values_and_credentials
  • private_repository_urls

No-claim framing:

  • This is a customer-facing security-posture summary (a supplier security-review handoff): a redacted subset of the manufacturer's engineering evidence.
  • It is not legal advice, not a certification, and not a declaration of CRA conformity; it does not establish the manufacturer's or the recipient's conformity.
  • Sharing adds no authority. The recipient remains responsible for their own security assessment and for reviewing this evidence.
  • Any referenced declaration is an unsigned draft; SBOMFlow never files, transmits, or signs regulatory reports.
  • No network is used to build this sharing pack.