Supply Chain Security¶
All Aotanami release artifacts are signed, attested, and scanned. This guide explains how to verify them.
Security Guarantees¶
| Guarantee | Implementation |
|---|---|
| Image signing | Cosign keyless (Fulcio + Rekor) |
| SLSA L3 provenance | slsa-framework/slsa-github-generator (isolated build) |
| SBOMs | SPDX + CycloneDX via Syft |
| SBOM attestation | Cosign attest (signed proof of SBOM integrity) |
| Vulnerability scan | Grype blocks releases with critical/high CVEs |
| Supply chain hardening | Actions pinned to commit SHA, harden-runner, persist-credentials: false |
| Helm chart signing | Cosign keyless with SBOM attestation |
Verifying Container Images¶
Every release image is signed with Cosign using keyless signing (Fulcio + Rekor transparency log).
# Verify the image signature
cosign verify ghcr.io/aotanami/aotanami:v0.1.0 \
--certificate-identity-regexp='https://github.com/aotanami/aotanami' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com'
Verifying Helm Charts¶
Helm OCI charts are also Cosign-signed:
cosign verify ghcr.io/aotanami/charts/aotanami:0.1.0 \
--certificate-identity-regexp='https://github.com/aotanami/aotanami' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com'
SLSA Provenance¶
Release images include SLSA Level 3 provenance attestations via the official slsa-github-generator, certifying the build process integrity.
# Verify SLSA provenance
cosign verify-attestation ghcr.io/aotanami/aotanami:v0.1.0 \
--type slsaprovenance \
--certificate-identity-regexp='https://github.com/slsa-framework/slsa-github-generator' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com'
# Or using the SLSA verifier CLI
slsa-verifier verify-image ghcr.io/aotanami/aotanami:v0.1.0 \
--source-uri github.com/aotanami/aotanami
SBOMs¶
Each release includes Software Bills of Materials in both SPDX and CycloneDX formats, generated by Syft. SBOMs are:
- Attested to the container image (signed proof of integrity)
- Attached as OCI artifacts
- Uploaded as GitHub Release assets
# Verify SBOM attestation
cosign verify-attestation ghcr.io/aotanami/aotanami:v0.1.0 \
--type spdxjson \
--certificate-identity-regexp='https://github.com/aotanami/aotanami' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com'
# Download SBOMs from release page:
# - sbom-spdx.json / sbom-cyclonedx.json (container image)
# - helm-sbom-spdx.json / helm-sbom-cyclonedx.json (Helm chart)
Vulnerability Scanning¶
Every release is scanned with Grype. Releases with critical or high CVEs are blocked. Results are uploaded to GitHub Security (SARIF) and visible under the repository's Security → Code scanning tab.
Artifact Summary¶
| Artifact | Registry | Signing | Attestations |
|---|---|---|---|
| Container image | ghcr.io/aotanami/aotanami | Cosign keyless | SBOM (SPDX + CycloneDX), SLSA L3 Provenance |
| Helm chart (OCI) | ghcr.io/aotanami/charts/aotanami | Cosign keyless | SBOM (SPDX) |
| SBOMs | GitHub Release + OCI | — | SPDX, CycloneDX |
| Vulnerability scan | GitHub Security (SARIF) | — | Grype |