Safeguard.sh Documentation Center

Trusted Artifacts

Roadmap — a curated catalog of hardened, minimal, signed base images with SBOM and SLSA provenance, plus (later) build-from-source and FIPS/STIG variants.

Trusted Artifacts

Roadmap — not yet available. Trusted Artifacts is a planned capability documented here for direction. It reuses the shipped container scanner, SBOM engine, and signing/provenance primitives, but the catalog and factory are not yet available.

Trusted Artifacts is planned as a source of hardened, minimal, signed base images with full supply-chain attestation — so the artifacts you build on start clean and provable. It is phased: a curated golden-image catalog with attestation first, then a build-from-source factory and FIPS/STIG variants as demand-gated later phases.

Phase 1 — curated catalog + attestation (planned first)

A curated set of hardened, minimal (distroless) base images — language runtimes and common services — each of which will carry:

  • CVE tracking — scanned by the container scanner on ingest and rebuild, with recorded critical/high counts and a remediation SLA.
  • Build-time SBOM — both SPDX 2.3 and CycloneDX 1.5, generated from image layers.
  • Signature — a cosign/Sigstore signature over the image digest, with keys held in KMS/HSM only.
  • SLSA provenance — an in-toto build-provenance attestation (builder identity, source ref, build params).
  • Golden-image recommendation — given your current base image, the nearest hardened catalog equivalent and the CVE delta.

Consumers verify with a single command that runs signature, attestation, and SBOM retrieval — the same check a CI pipeline or admission controller calls:

safeguard artifacts verify <ref>

Phase 2 — build-from-source, rebuild, FIPS/STIG (planned, demand-gated)

  • Build-from-source factory — a melange/apko-style pipeline building each package from source into a minimal, pinned, reproducible, distroless image.
  • Daily rebuild + CVE SLA — a continuous rebuild loop that re-scans and republishes with a fresh SBOM, signature, and provenance, trending CVE counts toward zero. "Zero-CVE" is stated honestly as no known CVEs at publish under SLA — not a perpetual guarantee.
  • FIPS / STIG variants — images embedding a CMVP-validated crypto module in approved-only mode and STIG-hardened builds, for FedRAMP/DoD buyers.

How it connects

Trusted Artifacts is designed to bridge two other capabilities: an admission-control path can call the verify step to block unsigned, vulnerable, or non-attested images at deploy, and AI-SPM reuses the same signing and provenance machinery to sign and attest model artifacts (model SBOM + signature + provenance). It reuses the existing container scanner and SBOM engine rather than forking them.

When it ships

Provenance records will be tenant-scoped, signing keys held in KMS/HSM only, every publish/sign/rebuild audit-logged, with on-prem/air-gap parity via keyed cosign and a self-hosted registry. Gated by the ff.trusted_artifacts feature flag.

On this page