Security Overview
This section documents the supply chain security measures applied to all container images built and published from this repository.
What we protect against
| Threat |
Mitigation |
| Tag mutation (image replaced after signing) |
Kyverno pins tags to digests at admission time |
| Compromised registry |
cosign signatures are independently verifiable via Rekor transparency log |
| Unsigned image deployed to cluster |
Kyverno ClusterPolicy blocks unsigned webgrip images |
| Unknown software components |
CycloneDX SBOM generated and attested for every release |
| Unpatched CVEs in base images |
Trivy scans on every release, results in GitHub Security tab |
| Workflow impersonation |
OIDC certificate is bound to the exact workflow file path and Git ref |
Security pipeline overview
graph LR
A[git push / release] --> B[Build & push image]
B --> C[Resolve digest]
C --> D[cosign sign]
C --> E[Syft SBOM]
E --> F[cosign attest SBOM]
C --> G[GitHub attest provenance]
C --> H[Trivy scan]
H --> I[GitHub Security tab]
D --> J[Rekor transparency log]
F --> J
D --> K[OCI registry]
F --> K
G --> K
G --> L[GitHub Attestation store]
Standards coverage
Quick links