{ "$schema": "https://json-schema.org/draft/2020-12/schema", "_comment": "LadderScan Security Assessment Summary - Multi-audience attestation", "version": "1.0", "assessmentDate": "2026-03-01T01:31:14Z", "product": { "name": "LadderScan", "version": "1.0.154", "vendor": "Lucidyne, LLC", "contact": "contact@ladderscan.io", "website": "https://ladderscan.io", "description": "Static analysis and security scanning tool for PLC logic (IEC 61131-3 Structured Text)" }, "compliance": { "standards": [ { "name": "OASIS SARIF v2.1.0", "description": "Static Analysis Results Interchange Format", "status": "compliant", "artifact": "sast-report.json", "specification": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html" }, { "name": "CycloneDX v1.5", "description": "Software Bill of Materials (CycloneDX format)", "status": "compliant", "artifact": "sbom.cdx.json", "specification": "https://cyclonedx.org/specification/overview/" }, { "name": "SPDX v2.3", "description": "Software Bill of Materials (SPDX format)", "status": "compliant", "artifact": "sbom.spdx.json", "specification": "https://spdx.github.io/spdx-spec/v2.3/" }, { "name": "SLSA v1.0", "description": "Supply-chain Levels for Software Artifacts - Provenance", "status": "compliant", "artifact": "provenance.intoto.json", "specification": "https://slsa.dev/spec/v1.0/" }, { "name": "in-toto Attestation v1", "description": "Software Supply Chain Attestation Framework", "status": "compliant", "specification": "https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md" } ], "federalGuidance": { "applicableTo": ["FedRAMP", "NIST 800-53", "CISA Secure by Design"], "sbomProvided": true, "sastReportProvided": true, "vulnerabilityScanProvided": true, "supplyChainProvenanceProvided": true } }, "securityPosture": { "staticAnalysis": { "tool": "cargo-clippy + custom SAST rules", "findings": { "critical": 0, "high": 0, "medium": 7, "low": 0, "informational": 0 }, "report": "sast-report.json", "format": "SARIF v2.1.0" }, "dependencyAudit": { "tool": "cargo-audit", "knownVulnerabilities": 0, "report": "audit-results.json", "lastUpdated": "2026-02-06T00:00:00Z" }, "softwareBillOfMaterials": { "format": "CycloneDX 1.5", "report": "sbom.cdx.json", "componentCount": 15, "licenseCompliance": { "status": "compliant", "allowedLicenses": ["MIT", "Apache-2.0", "Unlicense", "BSD-2-Clause", "BSD-3-Clause"], "violations": 0 } } }, "buildIntegrity": { "buildEnvironment": "CI/CD Pipeline", "reproducible": true, "signedArtifacts": false, "provenanceAttestation": "provenance.intoto.json" }, "runtimeSecurity": { "executionEnvironment": "WebAssembly (browser sandbox)", "networkAccess": false, "fileSystemAccess": false, "dataRetention": "none - all processing client-side", "privacyCompliant": true }, "artifacts": { "sbom_cyclonedx": { "path": "sbom.cdx.json", "format": "CycloneDX 1.5 JSON", "description": "Complete software bill of materials with dependency hashes" }, "sbom_spdx": { "path": "sbom.spdx.json", "format": "SPDX 2.3 JSON", "description": "Software bill of materials in SPDX format" }, "sast": { "path": "sast-report.json", "format": "SARIF v2.1.0", "description": "Static analysis security testing results" }, "audit": { "path": "audit-results.json", "format": "cargo-audit JSON", "description": "Dependency vulnerability scan (CVE database)" }, "provenance": { "path": "provenance.intoto.json", "format": "in-toto Statement v1 / SLSA Provenance v1", "description": "Build provenance attestation" }, "license": { "path": "LICENSE.txt", "format": "text", "description": "Proprietary license terms" } }, "attestations": { "securityReview": { "status": "self-attested", "date": "2026-02-06", "reviewer": "Lucidyne, LLC", "summary": "No critical or high severity vulnerabilities identified. All dependencies use permissive open-source licenses compatible with commercial use." }, "supplyChain": { "status": "SLSA Level 1", "buildPlatform": "CI/CD Pipeline", "sourceIntegrity": "version controlled", "buildIntegrity": "build logs available" } } }