Overview
Supply chain integrity, documentation, and operational readiness. This phase ensures Kapsis can be used safely in production environments with verifiable provenance.
Components
1. Container Image Signing
Keyless signing with Sigstore cosign:
- OIDC-based identity (no key management)
- Transparency log via Rekor
- Tamper detection
- Full audit trail
2. SBOM Generation
Software Bill of Materials in SPDX format:
- Complete dependency inventory
- Vulnerability scanning with Grype
- Attached as attestation to signed images
3. Build Provenance
SLSA attestation for builds to verify:
- Where the image was built
- What source code was used
- Who triggered the build
Verification Flow
# Verify container signature
cosign verify kapsis:${VERSION}
# View SBOM
cosign verify-attestation --type spdxjson kapsis:${VERSION}
# Scan for vulnerabilities
grype sbom:sbom.spdx.jsonSuccess Criteria
| Metric |
Target |
| All releases signed |
100% |
| SBOM generated |
100% |
| Signature verification works |
100% |
| Security documentation complete |
100% |
Dependencies
Priority
MEDIUM
Part of the Security Hardening Roadmap based on Lethal Trifecta mitigation strategy.
Overview
Supply chain integrity, documentation, and operational readiness. This phase ensures Kapsis can be used safely in production environments with verifiable provenance.
Components
1. Container Image Signing
Keyless signing with Sigstore cosign:
2. SBOM Generation
Software Bill of Materials in SPDX format:
3. Build Provenance
SLSA attestation for builds to verify:
Verification Flow
Success Criteria
Dependencies
Priority
MEDIUM
Part of the Security Hardening Roadmap based on Lethal Trifecta mitigation strategy.