SoulbyteSigmaSchoolChangelogs
Categories

CODE + PACKAGES submission category

CODE + PACKAGES

The CODE + PACKAGES category is the recommended submission type for any Python or Node.js project that imports third-party libraries. It extends the standard code review to include full supply chain verification: every declared dependency is independently fetched, integrity-verified, and reviewed by a SIGMA council before the submission is approved.

What SIGMA reviews:

Everything in the CODE category, plus: every direct dependency fetched from its official registry, its distribution file integrity verified against the registry's published SHA256, and its source code analysed for security patterns. SIGMA also expands the dependency graph up to L3, preserves parent attribution for transitives, and discloses which transitive packages were certified, flagged, or left uncertified because the transitive audit cap was reached.

Dependency requirements:

Dependencies must resolve to an exact version on an official public registry. Exact pins are accepted directly. Public-registry ranges such as requests>=2.28.0 or ^1.6.0 are resolved by SIGMA to one concrete version at quote / submission time, and the certificate discloses both the declared spec and the exact audited version. Private registry URLs, version control references, and local file references still cause the submission to be rejected at intake.

Pricing:

The total fee is the base code analysis fee plus a per-package fee for any dependencies not already in the Package Trust Registry. Packages already certified by a previous submission, whether yours or another developer's, are free. The developer portal shows an itemised quote before submission, including how much the shared registry has already saved.

The certificate:

The certificate includes the full code review plus a package analysis block listing every direct dependency, its certification status, its security level, and any warnings retained from the council review. Transitive packages are shown with depth and parent attribution. Blocked direct and L1 dependencies are automatic blockers; blocked L2/L3 transitives are advisory warnings for the council.

Certificate schema version: 4

Related: Package Trust Registry, Dependency requirements, Code certificate structure.

Sigma documentation v1.2GitHub / Skill ↗