dendrodocs
diff --git a/‎.github/workflows/Continuous.yml‎
Lines changed: 54 additions & 8 deletions b/‎.github/workflows/Continuous.yml‎
Lines changed: 54 additions & 8 deletions
diff --git a/‎.gitignore‎
Lines changed: 6 additions & 1 deletion b/‎.gitignore‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎.nuke/build.schema.json‎
Lines changed: 6 additions & 1 deletion b/‎.nuke/build.schema.json‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎.trivyignore.yaml‎
Lines changed: 5 additions & 0 deletions b/‎.trivyignore.yaml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎Directory.Packages.props‎
Lines changed: 7 additions & 6 deletions b/‎Directory.Packages.props‎
Lines changed: 7 additions & 6 deletions
diff --git a/‎README.md‎
Lines changed: 10 additions & 0 deletions b/‎README.md‎
Lines changed: 10 additions & 0 deletions
@@ -8,32 +8,78 @@ on:
     branches:
       - main
   release:
-    types: [created]
+    types:
+      - created
+
+permissions:
+  contents: read
+  packages: none
+  id-token: none
+  attestations: none
 
 jobs:
-  ubuntu-latest:
-    name: ubuntu-latest
-    runs-on: ubuntu-latest
+  build:
+    name: Build & Push
+    runs-on: ubuntu-24.04
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
+
     steps:
-      - uses: actions/checkout@v4
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
+
       - name: 'Cache: .nuke/temp, ~/.nuget/packages'
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684
         with:
           path: |
             .nuke/temp
             ~/.nuget/packages
           key: ${{ runner.os }}-${{ hashFiles('**/global.json', '**/*.csproj', '**/Directory.Packages.props') }}
+
+      - name: Cache Trivy DB
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684
+        with:
+          path: .trivy-cache
+          key: ${{ runner.os }}-trivy-cache
+
       - name: 'Run: Push'
         run: ./build.cmd Push
         env:
           FeedGitHubToken: ${{ secrets.FEED_GITHUB_TOKEN }}
           NuGetApiKey: ${{ secrets.NUGET_API_KEY }}
+
       - name: Report Coveralls
-        uses: coverallsapp/github-action@v2
+        uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b
+
       - name: 'Publish: Artifacts'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
         with:
           name: Artifacts
           path: Artifacts
+
+      # Upload the Software Bill of Materials (SBOM) for this build, to enable downstream trust/analysis
+      - name: Upload SBOM
+        if: >
+          (github.event_name == 'release') ||
+          (github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'dendrodocs/dotnet-tool')
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: SBOM
+          path: Sbom/_manifest/spdx_2.2/manifest.spdx.json
+
+      # Use GitHub's attest-sbom action to cryptographically tie the SBOM to the artifacts + their checksums
+      # (SLSA provenance proof, can be verified by downstream consumers)
+      - name: Attest SBOM
+        if: >
+          (github.event_name == 'release') ||
+          (github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'dendrodocs/dotnet-tool')
+        uses: actions/attest-sbom@bd218ad0dbcb3e146bd073d1d9c6d78e08aa8a0b
+        with:
+          sbom-path: Sbom/_manifest/spdx_2.2/manifest.spdx.json
+          subject-checksums: Artifacts/SHA256SUMS
@@ -263,4 +263,9 @@ paket-files/
 *.sln.iml
 pub/
 
-**/launchSettings.json
+**/launchSettings.json
+
+.trivy-cache
+.nuke/temp
+[Aa]rtifacts
+[Ss]bom
@@ -24,16 +24,21 @@
     "ExecutableTarget": {
       "type": "string",
       "enum": [
+        "Audit",
         "CalculateVersion",
         "Clean",
         "CodeCoverage",
         "Compile",
         "Pack",
+        "Proof",
         "Push",
         "PushGithub",
         "PushNuget",
         "Restore",
-        "UnitTests"
+        "SbomDeliverable",
+        "ScanSource",
+        "UnitTests",
+        "VerifyCleanGit"
       ]
     },
     "Verbosity": {
 
@@ -0,0 +1,5 @@
+vulnerabilities:
+  - id: CVE-2025-26646
+    purls:
+      - "pkg:nuget/[email protected]"
+    statement: Microsoft.Build.Tasks.Core 17.11.31 is believed to be a fixed version, incorrectly not marked as such.
@@ -7,19 +7,20 @@
     <PackageVersion Include="Buildalyzer.Workspaces" Version="7.1.0" />
     <PackageVersion Include="CommandLineParser" Version="2.9.1" />
     <PackageVersion Include="coverlet.collector" Version="6.0.4" />
-    <PackageVersion Include="DendroDocs.Shared" Version="0.3.0" />
     <PackageVersion Include="Microsoft.Extensions.FileSystemGlobbing" Version="8.0.0" />
+    <PackageVersion Include="DendroDocs.Shared" Version="0.4.2" />
     <PackageVersion Include="Newtonsoft.Json.Schema" Version="4.0.1" />
     <PackageVersion Include="Nuke.Common" Version="9.0.4" />
     <PackageVersion Include="Nuke.Components" Version="9.0.4" />
     <PackageVersion Include="Microsoft.Build" Version="17.11.31" />
+    <PackageVersion Include="Microsoft.Build.Framework" Version="17.11.31" />
     <PackageVersion Include="Microsoft.Build.Tasks.Core" Version="17.11.31" />
-    <PackageVersion Include="Microsoft.CodeAnalysis.CSharp.Workspaces" Version="4.12.0" />
-    <PackageVersion Include="Microsoft.CodeAnalysis.VisualBasic.Workspaces" Version="4.12.0" />
-    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
+    <PackageVersion Include="Microsoft.CodeAnalysis.CSharp.Workspaces" Version="4.14.0" />
+    <PackageVersion Include="Microsoft.CodeAnalysis.VisualBasic.Workspaces" Version="4.14.0" />
+    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
     <PackageVersion Include="Microsoft.SourceLink.GitHub" Version="8.0.0" />
-    <PackageVersion Include="MSTest.TestAdapter" Version="2.2.10" />
-    <PackageVersion Include="MSTest.TestFramework" Version="2.2.10" />
+    <PackageVersion Include="MSTest.TestAdapter" Version="3.10.1" />
+    <PackageVersion Include="MSTest.TestFramework" Version="3.10.1" />
     <PackageVersion Include="Shouldly" Version="4.3.0" />
   </ItemGroup>
 </Project>
@@ -49,6 +49,16 @@ dendrodocs-analyze --folder /path/to/projects --exclude /path/to/unwanted.csproj
 The output of **DendroDocs.Tool** is a comprehensive JSON file that conforms to the schema defined in the [DendroDocs Schema](https://github.com/dendrodocs/schema).
 This JSON file provides a representation of your source code, which can be used to generate various types of documentation or integrate with other tools in your development pipeline.
 
+## Security & Build Attestation
+
+This library includes build attestation through GitHub's attest-build-provenance action, providing cryptographic proof of the build process and artifact integrity. Each published package includes verifiable provenance information that demonstrates:
+
+* The exact repository and commit that built the artifacts
+* The GitHub Actions workflow that produced the packages
+* Cryptographic signatures ensuring artifact authenticity
+
+This ensures that the packages you install have not been tampered with and came from the official DendroDocs build pipeline.
+
 ## The DendroDocs Ecosystem
 
 **DendroDocs.Tool** is part of the broader DendroDocs ecosystem.