SLSA Compliance
Root’s AVR pipeline generates SLSA (Supply chain Levels for Software Artifacts) provenance attestations for every artifact it produces. Attestations are available for all images and packages fromcr.root.io and pkg.root.io.
Every artifact includes:
- Signed SLSA provenance - cryptographically signed build record in SLSA format
- SPDX SBOM - full component inventory
- OpenVEX statements - vulnerability exploitability assertions
- cosign image signatures - image signing for supply chain verification
FIPS & STIG
Root has published FIPS and STIG attestation materials at github.com/rootio-avr/fips-attestations. For questions about FIPS requirements and current availability, contact security@root.io.SOC 2 Type II
Root holds SOC 2 Type II certification, validating controls for security, availability, and confidentiality. To request the report, contact security@root.io.Cyber Essentials
Root holds Cyber Essentials certification, demonstrating essential cybersecurity measures.Industry Memberships
Root is an active participant in key open source and security standards bodies:- CNCF - Contributing member
- OWASP Global - Member
- OASIS - Voting member
Requesting Compliance Documentation
| Document | How to Access |
|---|---|
| SOC 2 Type II report | Email security@root.io |
| FIPS attestations and STIG scan results | github.com/rootio-avr/fips-attestations (public) |
| SLSA provenance for any artifact | Root API - /v1/images/tags/{rrtID}/provenance |
| SBOMs for any artifact | Root API - /v1/images/tags/{rrtID}/sbom |
| Security questionnaire / procurement review | Email security@root.io |