Secure Development Lifecycle

May 10, 2026 ยท View on GitHub

This documentation describes the secure development practices for Hex registry infrastructure, organized into three pillars.

Pillars

Secure Build

How we build software securely:

  • Artifact provenance and integrity
  • Dependency management and constraints
  • Toolchain security (CI/CD, compilers, formatters)

Secure Process

How we develop software securely:

  • Code review requirements
  • Quality assurance and testing
  • Security scanning
  • Vulnerability handling and disclosure

Secure Runtime

How we run software securely:

  • Deployment controls
  • Secrets management
  • Service ownership
  • Monitoring and observability

Registers

Risk Register

Tracked security risks with their severity, status, and mitigations.

Exception Register

Approved deviations from security policies with justification and expiry.