Bill of materials
fremforge is deliberately transparent about the tooling underneath every control. Customers under BSI C5, ISO 27001, BaFin, or ENISA-regulated review need the tool-level audit trail, and we’d rather you can grep our source than reverse-engineer a black box.
This page is the authoritative inventory. The shorter table on the security features overview is a quick-reference subset; this one is the full record — versions, pull sources, where each component runs, the supply-chain attestation that ships with it, and the licence.
Supply-chain integrity
Every dependency, container image, and binary in this inventory traverses fremforge’s upstream-contact rule:
- GitHub-hosted code flows via the Forgejo native pull-mirror at
frem.sh/<canonical-org>/<repo>(8-hour sync). Customer workflows resolvinguses: actions/checkout@v4hitfrem.sh/actions/checkout— no direct github.com fetch on the customer’s critical path. - Container images (docker.io / ghcr.io / quay.io / public.ecr.aws) flow via the
swr-mirrorcron into T Cloud SWR atswr.eu-de.otc.t-systems.com/fremforge-prd/cache-<name>:<tag>. Production manifests never reference an upstream registry directly. - Release binaries that aren’t shipped as OCI (e.g.
opengrep,cosign) are wrapped in tinyscratch-basedcache-<tool>images and pulled viaCOPY --from=swr...cache-<tool>. Renovate tracks the upstream github-release version and opens a weekly bump PR.
The audit row in CI checks Dockerfiles and k8s manifests for any image: ...docker.io/... or curl ...github.com... that would bypass the mirror. Zero violations as of 2026-06-02; the most recent fix landed cache-opengrep in the runner-base image.
CI + supply-chain tooling
| Tool | Version | Where used | License | Pull source |
|---|---|---|---|---|
| Forgejo | v15.x | Repo hosting, code review, Actions runner protocol, SSO auth-sources | GPLv3 | swr…/fremforge-prd/forgejo:<tag> (own build, fremforge/forgejo-build) |
| forgejo-runner (act_runner) | v6.2.1 | Per-job ephemeral runner pod | MIT | swr…/fremforge-prd/cache-forgejo-runner:6.2.1 |
| Gitleaks | v8.x | Pre-receive secret scan | MIT | swr…/fremforge-prd/cache-gitleaks:<ver> |
| OpenGrep | v1.21 | SAST on every PR (FOSS Semgrep successor — relicensed move, see OSS audit) | LGPLv2.1 | swr…/fremforge-prd/cache-opengrep:1.21.0 |
| Trivy | v0.70 | Customer CI image scan + runner-image baked-in CVE check | Apache 2.0 | swr…/fremforge-prd/cache-aquasec-trivy:0.70.0 |
| osv-scanner | Latest | PR-time dependency CVE/GHSA scan | Apache 2.0 | swr…/fremforge-prd/cache-osv-scanner:<ver> |
| Syft | Latest | CycloneDX 1.5 + SPDX 2.3 SBOM on release-tag push | Apache 2.0 | swr…/fremforge-prd/cache-anchore-syft:<ver> |
| cosign | Latest | Image signing + verification (customer CI via cosign-verify.yaml) | Apache 2.0 | swr…/fremforge-prd/cache-cosign:<ver> |
| Fulcio | v1.8.5 (Helm 2.9.0) | Self-hosted code-signing CA at sign.frem.sh. Root CA in T Cloud DEW KMS (FIPS 140-2 Level 3 HSM). NOT the public Sigstore Fulcio — fremforge runs its own | Apache 2.0 | swr…/fremforge-prd/cache-sigstore-fulcio:1.8.5 |
| Sigstore TSA | Latest | RFC 3161 timestamp authority at tsa.frem.sh. Key in DEW KMS. NOT the public Sigstore TSA | Apache 2.0 | swr…/fremforge-prd/cache-sigstore-timestamp-server:<ver> |
| gitsign | Latest | Customer git client; OIDC-bound commit signing against the local Fulcio | Apache 2.0 | Customer-side install (brew install sigstore/tap/gitsign) |
| Renovate | Latest | Hosted dep-bump bot, 15-min cron, per-repo opt-out | AGPLv3 | swr…/fremforge-prd/cache-renovate:<ver> |
| kaniko | Latest | Rootless container build in customer workflows (alternative to BuildKit when customer can’t run privileged) | Apache 2.0 | swr…/fremforge-prd/cache-kaniko-executor:<ver> |
| ClamAV | Latest | Pre-receive malware scan + LFS upload scan | GPLv2 | swr…/fremforge-prd/cache-clamav:<ver> |
| SaneSecurity feeds | Daily | ClamAV signature feeds (Foxhole, RogueDB, etc.) — broadens detection beyond the upstream CVD set | (Vendor — EU) | DNS pull via outbound-proxy-strict allowlist |
| scorecard | Latest | Weekly OpenSSF best-practice run per repo | Apache 2.0 | swr…/fremforge-prd/cache-ossf-scorecard:<ver> |
| slsa-verifier | Latest | Customer-side verification of fremforge-issued SLSA L2 provenance | Apache 2.0 | Customer-side install |
Platform foundation
| Layer | Tool / vendor | Where used | License / posture |
|---|---|---|---|
| Container registry | T Cloud SWR | All fremforge images. Single source for runtime pulls; mirror for every upstream registry | Vendor (Deutsche Telekom, eu-de) |
| Kubernetes | T Cloud CCE Turbo (Cloud Native Network 2.0) | All workloads. Per-pod ENI + Security Group via Yangtse CNI | Vendor (Deutsche Telekom, eu-de) |
| Object storage (operator) | T Cloud OBS | Audit-chain WORM anchor, SBOM archive, data-export, OpenTofu state | Vendor (Deutsche Telekom, eu-de) |
| Relational DB | T Cloud RDS (PostgreSQL 15) | api state, tenant + finding tables, audit chain | Vendor (Deutsche Telekom, eu-de) |
| In-memory cache | T Cloud DCS Redis | Rate-limit counters, token-exchange seen-IP, session cache | Vendor (Deutsche Telekom, eu-de) |
| Key management | T Cloud DEW | MASTER_ENCRYPTION_KEY, Fulcio root CA, TSA signing key | Vendor (FIPS 140-2 Level 3 HSM, Germany) |
| Function-as-a-service | T Cloud FunctionGraph | Cron + reaper workloads (runner-stale-sweep, swr-mirror, etc.) | Vendor (Deutsche Telekom, eu-de) |
| Log + metric tier | T Cloud LTS + CES | Application logs, keyword alarms, SLO metrics | Vendor (Deutsche Telekom, eu-de) |
| Edge / CDN | Bunny CDN | TLS termination, EU-edge caching, edge rules, rate-limit floor | Vendor (Slovenia HQ, EU-resident, no US sub-processor) |
| Transactional email | Lettermint | Auth emails, billing notices, alerts | Vendor (NL, GDPR-resident) |
| Operational mailbox | mailbox.org | Inbound *@frem.sh admin mail | Vendor (Germany) |
| Payment processing | Mollie | Card + SEPA Direct Debit | Vendor (NL, GDPR-resident) |
| Bookkeeping | Dinero | Invoice issuance + accounting | Vendor (DK, GDPR-resident) |
| External uptime probe | updown.io | Off-net availability probes (api, Forgejo, Kuma, marketing, Authentik) | Vendor (FR) |
Every vendor on this list is contractually EU-resident with no US sub-processor in the data path. Full DPA + sub-processor chain on the trust page. The canonical machine-readable supplier inventory lives in fremverk/governance/suppliers.yaml — that file is the source-of-truth Annex B for the customer-facing DPA.
What we deliberately don’t use
| Anti-vendor / anti-tool | Why |
|---|---|
| github.com (direct) | EU sovereignty + Schrems II + the upstream-contact rule. Mirrored exclusively. |
| GitHub Advanced Security (CodeQL etc.) | Proprietary detection rules you can’t audit. We use OpenGrep + Trivy + osv-scanner — all OSS, all auditable. |
| Microsoft 365, Entra, Defender | Same. fremforge product has zero Microsoft footprint. (fremverk corporate IT is a separate identity world — see the Microsoft footprint note.) |
| Public Sigstore Fulcio/Rekor (sigstore.dev) | US-hosted; verification path would round-trip outside the EU. We run our own Fulcio + TSA in eu-de with the root CA in DEW KMS. No Rekor / transparency log by design — TSA-anchored timestamping is the integrity primitive instead. |
| AWS, GCP, Azure | US-cloud-controlled. T Cloud is operated by Deutsche Telekom on a Huawei-derived stack; the OpenTofu provider is the maintained-for-OTC fork (opentelekomcloud/opentelekomcloud, never huaweicloud/huaweicloud). |
| Cloudflare, Fastly, Akamai | Edge with US-cloud control. Bunny CDN is EU-HQ and contractually EU-resident. |
| Google Fonts, jsDelivr, unpkg CDN-loaded assets | Third-party CDN exposes traffic patterns to US-resident edges. All fonts/JS/CSS self-hosted at www.frem.sh/fonts/ via Bunny EU. |
| Long-lived service-account credentials in customer workflows | OIDC token federation (workflow OIDC) + agent-native auth replace them. Long-lived keys are an opt-in deprecated path with a deprecation banner. |
How to consume this BoM in your own audit pack
For an RFP response or vendor-questionnaire: link this page directly. The URL is stable: https://docs.frem.sh/security/bill-of-materials/.
For BSI C5 or ISO 27001 evidence: ask security@frem.sh for the dated PDF snapshot. We can also produce a CycloneDX-format SBOM of the platform itself (not just per-release) on request — useful for transitive-CVE matching.
For continuous verification: every release of every fremforge component publishes a Syft-generated CycloneDX SBOM, and the customer-side SLSA-L2 provenance includes the materials list with digest pins for every build input. Verify with slsa-verifier against fremforge’s published trust root — see SLSA provenance.
Drift: this BoM is hand-maintained today; the weekly rebuild manifest auto-publishes from 2026-Q3 (planned). Until then, ping security@frem.sh if you need a current snapshot before an audit.
Related
- Trust page — DPA, sub-processor list, compliance attestations.
- Security features at a glance — what each tool actually does, with deep links.
- SBOMs — how customer-side CycloneDX/SPDX SBOMs are generated.
- SLSA provenance — how the SLSA L2 attestation is signed against the local Fulcio.
- Vulnerability disclosure —
security@frem.sh, 24h ack SLA.