Skip to content

ADRs tagged security

Auto-generated by scripts/docs/generate-adr-by-tag.sh. Edit ADR Tags: lines to update.

24 ADR(s) carry this tag.

ID Title
ADR-0010 Sign release artifacts keyless via Sigstore
ADR-0015 CI matrix Linux/macOS/Windows with sanitizers
ADR-0033 Relocate CodeQL config to .github/
ADR-0037 Protect master branch on GitHub with required checks
ADR-0038 Purge upstream MATLAB MEX compiled binaries from tree
ADR-0039 Pull forward runtime op-allowlist walk and model registry
ADR-0169 ONNX op-allowlist — admit Loop + If with recursive subgraph scan (T6-5)
ADR-0171 Bounded Loop.M trip-count guard (T6-5b)
ADR-0211 Tiny-model registry schema + Sigstore --tiny-model-verify
ADR-0258 ONNX op-allowlist — admit Resize for saliency / segmentation models (T7-32)
ADR-0263 OSSF Scorecard policy and remediation cadence
ADR-0270 libFuzzer scaffold for parser surfaces (OSSF Scorecard remediation)
ADR-0311 libFuzzer harness expansion — fuzz_yuv_input + fuzz_cli_parse
ADR-0316 cli_parse — handle long-only options in error()
ADR-0348 Globally suppress CodeQL cpp/poorly-documented-function
ADR-0363 Mend Renovate replaces Dependabot as the dependency-update bot
ADR-0379 libvmaf Symbol Visibility — Hide Internal Symbols with -fvisibility=hidden
ADR-0382 Y4M header parser — reject non-positive width or height before allocation
ADR-0404 Keep nightly.yml + fuzz.yml red until underlying bugs land
ADR-0683 Replace banned functions in vendored MCP cJSON
ADR-0694 Tighten clang-tidy enforcement + confirm sanitizers as required CI gates
ADR-0698 VMAFX Production Dockerfile — Multi-Arch, Image Signing, SBOM
ADR-0840 Fix cu_state leak on import failure and gpu_dispatch_env TOCTOU
ADR-0887 Reject JSON models whose per-feature arrays disagree on length