Review & Publish

Your role in the process

Think of this like approving a document before it gets sent to a client. Automation does the gathering, but you do the quality check.

Review what's included

Make sure nothing sensitive slipped in

Check completeness

Verify all expected evidence is present

Choose when to release

Publish on your schedule, not automation's

Review workflow

                    # See what's in the pack
epack inspect latest.pack

# List all artifacts
epack list artifacts latest.pack

# Compare with previous release
epack diff previous.pack latest.pack

# Extract to review contents
epack extract --all latest.pack -o ./review
                  

Signing your release

Signing creates cryptographic proof of who published the pack and that nothing changed after signing. epack uses Sigstore for keyless signing, so there are no long-lived keys to manage.

Interactive signing

For manual releases, sign interactively. This opens a browser to authenticate with your identity provider (Google, GitHub, Microsoft).

                    # Sign with your personal identity
epack sign evidence.pack

# Verify your own signature
epack verify evidence.pack
                  

CI/CD signing

In CI, use workload identity. The signature includes the repository, workflow, and commit SHA, creating a full audit trail.

                    # CI signing (OIDC auto-detected)
epack sign evidence.pack

# Customer verifies the CI identity
epack verify --issuer "https://token.actions.githubusercontent.com" \
  --subject "repo:myorg/pipeline:ref:refs/heads/main" \
  evidence.pack
                  

No key management: Sigstore uses short-lived certificates tied to your identity. Every signature is logged in a public transparency log (Rekor), providing non-repudiation and audit trails.

Push to a remote

The easiest way to publish is using remotes—configured destinations that handle upload, versioning, and access control automatically. Configure once in epack.yaml, then push with a single command.

Configure a remote

epack.yaml

                    remotes:
  locktivity:
    source: locktivity/epack-remote-locktivity@v1
    target:
      workspace: acme
      environment: prod
    auth:
      mode: device_code
    release:
      labels: [monthly]
    runs:
      sync: true
                  

Push your pack

                    # Push to configured remote
epack push locktivity packs/evidence.epack

# Push with labels
epack push locktivity packs/evidence.epack \
  --label soc2 \
  --label february

# Push to staging environment
epack push locktivity packs/evidence.epack \
  --env staging
                  

Run sync: With runs.sync: true, collector run results are automatically synced to the remote after each push, creating a continuous ledger of evidence collection.

Learn more about remotes →

Other publishing options

If you prefer manual distribution or don't use remotes, packs are just ZIP files that can be shared anywhere.

Cloud storage

Upload to S3, GCS, or Azure Blob. Share download links or integrate with your existing file sharing workflows.

Simple, works with any infrastructure

Trust center

Host packs on your existing trust center or security portal. Customers already know where to look.

Best for customer self-service

OCI registry

Push packs to any OCI-compatible registry (Docker Hub, GHCR, ECR). Built-in versioning and access control.

Best for automated consumption

Direct sharing

Email the pack directly or share via Slack, Teams, or any file sharing tool. It's just a ZIP file.

Works anywhere, no infrastructure needed