Each release must include or reference the following:

• SBOM for the released artifact
• SAST/SCA/DAST summaries with open findings listed
• Secrets‑scan confirmation
• IaC/container scan results (if applicable)
• Change log describing user‑visible and operational impacts
• Deployment and rollback plan
• UAT sign‑off and acceptance artifacts
• Logging schema updates (if changed)
• POA&M for unresolved items with owners and target dates