Skip to content
OGN logo
Omnis Genomics
GPU-native genomics
Docs · OGN platform

GPU-native genomics operating system

From raw reads to GIAB-validated variant calls in a continuous GPU pipeline. This is the control surface for the engine: CLI, pipelines, benchmarks, and deployment runbooks.

CUDA 12+Hopper · AmpereGIAB-validated flowsSchemas stable
Viewing
PatentChecker security posture
BioCost quickstartDocs overviewBenchmark packExample pipelinesGitHub

Security posture

This repo ships a deterministic CLI + container that produces offline-verifiable evidence bundles. It is typically deployed as a self-hosted runner (not a multi-tenant SaaS).

Data in bundles

Bundles include:
  • Inputs for replay/audit (match_set, run_context, and (optionally) adapter_context + corpus_manifest)
  • Deterministic outputs (evidence packets, manifests, state, run digests)
  • Optional embedded license receipt files (license_receipt.json, license_receipt.sha256, license_receipt.summary.json, run_metadata.json)
Bundles do not include corpus contents beyond what is required by contract (e.g., publication numbers and assignee strings present in the returned match_set).

Secrets and tokens

  • Do not commit secrets to git (this repo is scanned; see .gitleaks.toml).
  • If your HTTP adapter requires auth, prefer private networking + mTLS. If you must use bearer tokens, pass them via engine.adapter.headers at deploy time (do not hardcode tokens into watchlist JSON committed to source control).
  • PatentChecker records deterministic inputs/outputs; treat output directories as sensitive and store them according to your org’s retention policy.

Network access

  • Offline verification (patentchecker verify:run, patentchecker artifacts verify, patentchecker license verify) performs no network calls.
  • The runner only performs network calls when using an HTTP adapter; adapters are the only component that should talk to your patent corpus/search infrastructure.
  • For fully offline/air-gapped environments, use module adapters (embedded) or file_fixture mode (fixtures/tests).

Supply chain posture

  • Installs are reproducible via npm ci (lockfile pinned).
  • CI runs npm audit (non-blocking) and the sellable-v1-gate (blocking).
  • CI includes container build smoke tests (docker-smoke) and Trivy vulnerability scanning (security-trivy) on PRs/main + weekly schedule.
  • Dependency review falls back to a blocking OSV lockfile scan (osv-scanner) when GitHub Advanced Security is unavailable.
  • CodeQL is wired with fail-safe support detection (security-codeql) and can be force-enabled via repository variable ENABLE_CODEQL=true.
  • Release images are built with SBOM + provenance enabled and signed with cosign (see .github/workflows/release.yml).
  • Trivy gates on HIGH and CRITICAL; any temporary exceptions are tracked in docs/security/vuln-burndown.md.

Reporting and escalation

  • Primary reporting channel: GitHub private vulnerability reporting for this repository.
  • Security response lead: OmnisCoder (omniscoder@users.noreply.github.com).
  • Target response window for vulnerability reports: acknowledge within 1 business day; provide triage status within 3 business days.
  • Incident notification target: notify affected buyers within 24 hours of confirmed product/data security incidents, and no later than 72 hours when regulated personal data is involved.
  • Escalation path: security response lead -> engineering lead -> buyer security contact defined in the active pilot/SOW.
PatentChecker security posture | OGN documentation | Omnis Genomics