Charon/docs/features/supply-chain-security.md

title, description

title	description
Verified Builds	Cryptographic signatures, SLSA provenance, and SBOM for every release

Verified Builds

Know exactly what you're running. Every Charon release includes cryptographic signatures, SLSA provenance attestation, and a Software Bill of Materials (SBOM). Enterprise-grade supply chain security for everyone.

Overview

Supply chain attacks are increasingly common. Charon protects you with multiple verification layers that prove the image you're running was built from the official source code, hasn't been tampered with, and contains no hidden dependencies.

Security Artifacts

Artifact	Purpose	Standard
Cosign Signature	Cryptographic proof of origin	Sigstore
SLSA Provenance	Build process attestation	SLSA Level 3
SBOM	Complete dependency inventory	SPDX/CycloneDX

Why Supply Chain Security Matters

Threat	Mitigation
Compromised CI/CD	SLSA provenance verifies build source
Malicious maintainer	Signatures require private key access
Dependency hijacking	SBOM enables vulnerability scanning
Registry tampering	Signatures detect unauthorized changes
Audit requirements	Complete traceability for compliance

Verifying Image Signatures

Prerequisites

# Install Cosign
# macOS
brew install cosign

# Linux
curl -LO https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
chmod +x cosign-linux-amd64 && sudo mv cosign-linux-amd64 /usr/local/bin/cosign

Verify a Charon Image

# Verify signature (keyless - uses Sigstore public transparency log)
cosign verify ghcr.io/wikid82/charon:latest \
  --certificate-identity-regexp='https://github.com/Wikid82/charon/.*' \
  --certificate-oidc-issuer='https://token.actions.githubusercontent.com'

# Successful output shows:
# Verification for ghcr.io/wikid82/charon:latest --
# The following checks were performed on each of these signatures:
#   - The cosign claims were validated
#   - The signatures were verified against the specified public key

Verify SLSA Provenance

# Install slsa-verifier
go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@latest

# Verify provenance attestation
slsa-verifier verify-image ghcr.io/wikid82/charon:latest \
  --source-uri github.com/Wikid82/charon \
  --source-tag v2.0.0

Software Bill of Materials (SBOM)

What's Included

The SBOM lists every component in the image:

• Go modules and versions
• System packages (Alpine)
• Frontend npm dependencies
• Build tools used

Retrieving the SBOM

# Download SBOM attestation
cosign download sbom ghcr.io/wikid82/charon:latest > charon-sbom.spdx.json

# View in human-readable format
cat charon-sbom.spdx.json | jq '.packages[] | {name, version}'

Vulnerability Scanning

Use the SBOM with vulnerability scanners:

# Scan with Trivy
trivy sbom charon-sbom.spdx.json

# Scan with Grype
grype sbom:charon-sbom.spdx.json

SLSA Provenance Details

SLSA (Supply-chain Levels for Software Artifacts) provenance includes:

Field	Content
buildType	GitHub Actions workflow
invocation	Commit SHA, branch, workflow run
materials	Source repository, dependencies
builder	GitHub-hosted runner details

Example Provenance

{
  "buildType": "https://github.com/slsa-framework/slsa-github-generator",
  "invocation": {
    "configSource": {
      "uri": "git+https://github.com/Wikid82/charon@refs/tags/v2.0.0",
      "entryPoint": ".github/workflows/release.yml"
    }
  },
  "materials": [{
    "uri": "git+https://github.com/Wikid82/charon",
    "digest": {"sha1": "abc123..."}
  }]
}

Enterprise Compliance

These artifacts support compliance requirements:

• SOC 2: Demonstrates secure build practices
• FedRAMP: Provides software supply chain documentation
• PCI DSS: Enables change management auditing
• NIST SSDF: Aligns with secure development framework

Related

• Security Hardening - Runtime security features
• Coraza WAF - Application firewall
• Back to Features