Secure Development Lifecycle
May 10, 2026 ยท View on GitHub
This documentation describes the secure development practices for Hex registry infrastructure, organized into three pillars.
Pillars
Secure Build
How we build software securely:
- Artifact provenance and integrity
- Dependency management and constraints
- Toolchain security (CI/CD, compilers, formatters)
Secure Process
How we develop software securely:
- Code review requirements
- Quality assurance and testing
- Security scanning
- Vulnerability handling and disclosure
Secure Runtime
How we run software securely:
- Deployment controls
- Secrets management
- Service ownership
- Monitoring and observability
Registers
Risk Register
Tracked security risks with their severity, status, and mitigations.
Exception Register
Approved deviations from security policies with justification and expiry.
Related Documentation
- Supply Chain Security - Package integrity from publish to install
- Operations - Incident response and access control