akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 15 Packages Projects Releases Wiki Activity
Files
main
Charon/docs/features/supply-chain-security.md
akanealw eec8c28fb3
Some checks are pending
Go Benchmark / Performance Regression Check (push) Waiting to run
Details
Cerberus Integration / Cerberus Security Stack Integration (push) Waiting to run
Details
Upload Coverage to Codecov / Backend Codecov Upload (push) Waiting to run
Details
Upload Coverage to Codecov / Frontend Codecov Upload (push) Waiting to run
Details
CodeQL - Analyze / CodeQL analysis (go) (push) Waiting to run
Details
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Waiting to run
Details
CrowdSec Integration / CrowdSec Bouncer Integration (push) Waiting to run
Details
Docker Build, Publish & Test / build-and-push (push) Waiting to run
Details
Docker Build, Publish & Test / Security Scan PR Image (push) Blocked by required conditions
Details
Quality Checks / Auth Route Protection Contract (push) Waiting to run
Details
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Waiting to run
Details
Quality Checks / Backend (Go) (push) Waiting to run
Details
Quality Checks / Frontend (React) (push) Waiting to run
Details
Rate Limit integration / Rate Limiting Integration (push) Waiting to run
Details
Security Scan (PR) / Trivy Binary Scan (push) Waiting to run
Details
Supply Chain Verification (PR) / Verify Supply Chain (push) Waiting to run
Details
WAF integration / Coraza WAF Integration (push) Waiting to run
Details
changed perms
2026-04-22 18:19:14 +00:00

4.2 KiB
Executable File
Raw Permalink Blame History

title, description
title description
Verified Builds Cryptographic signatures, SLSA provenance, and SBOM for every release

Verified Builds

Know exactly what you're running. Every Charon release includes cryptographic signatures, SLSA provenance attestation, and a Software Bill of Materials (SBOM). Enterprise-grade supply chain security for everyone.

Overview

Supply chain attacks are increasingly common. Charon protects you with multiple verification layers that prove the image you're running was built from the official source code, hasn't been tampered with, and contains no hidden dependencies.

Security Artifacts

Artifact Purpose Standard
Cosign Signature Cryptographic proof of origin Sigstore
SLSA Provenance Build process attestation SLSA Level 3
SBOM Complete dependency inventory SPDX/CycloneDX

Why Supply Chain Security Matters

Threat Mitigation
Compromised CI/CD SLSA provenance verifies build source
Malicious maintainer Signatures require private key access
Dependency hijacking SBOM enables vulnerability scanning
Registry tampering Signatures detect unauthorized changes
Audit requirements Complete traceability for compliance

Verifying Image Signatures

Prerequisites

# Install Cosign
# macOS
brew install cosign

# Linux
curl -LO https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
chmod +x cosign-linux-amd64 && sudo mv cosign-linux-amd64 /usr/local/bin/cosign

Verify a Charon Image

# Verify signature (keyless - uses Sigstore public transparency log)
cosign verify ghcr.io/wikid82/charon:latest \
  --certificate-identity-regexp='https://github.com/Wikid82/charon/.*' \
  --certificate-oidc-issuer='https://token.actions.githubusercontent.com'

# Successful output shows:
# Verification for ghcr.io/wikid82/charon:latest --
# The following checks were performed on each of these signatures:
#   - The cosign claims were validated
#   - The signatures were verified against the specified public key

Verify SLSA Provenance

# Install slsa-verifier
go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@latest

# Verify provenance attestation
slsa-verifier verify-image ghcr.io/wikid82/charon:latest \
  --source-uri github.com/Wikid82/charon \
  --source-tag v2.0.0

Software Bill of Materials (SBOM)

What's Included

The SBOM lists every component in the image:

  • Go modules and versions
  • System packages (Alpine)
  • Frontend npm dependencies
  • Build tools used

Retrieving the SBOM

# Download SBOM attestation
cosign download sbom ghcr.io/wikid82/charon:latest > charon-sbom.spdx.json

# View in human-readable format
cat charon-sbom.spdx.json | jq '.packages[] | {name, version}'

Vulnerability Scanning

Use the SBOM with vulnerability scanners:

# Scan with Trivy
trivy sbom charon-sbom.spdx.json

# Scan with Grype
grype sbom:charon-sbom.spdx.json

SLSA Provenance Details

SLSA (Supply-chain Levels for Software Artifacts) provenance includes:

Field Content
buildType GitHub Actions workflow
invocation Commit SHA, branch, workflow run
materials Source repository, dependencies
builder GitHub-hosted runner details

Example Provenance

{
  "buildType": "https://github.com/slsa-framework/slsa-github-generator",
  "invocation": {
    "configSource": {
      "uri": "git+https://github.com/Wikid82/charon@refs/tags/v2.0.0",
      "entryPoint": ".github/workflows/release.yml"
    }
  },
  "materials": [{
    "uri": "git+https://github.com/Wikid82/charon",
    "digest": {"sha1": "abc123..."}
  }]
}

Enterprise Compliance

These artifacts support compliance requirements:

  • SOC 2: Demonstrates secure build practices
  • FedRAMP: Provides software supply chain documentation
  • PCI DSS: Enables change management auditing
  • NIST SSDF: Aligns with secure development framework

Related

Reference in New Issue View Git Blame Copy Permalink