{"id":50653633,"url":"https://github.com/ej-east/redoubt","last_synced_at":"2026-06-07T22:35:19.078Z","repository":{"id":357749546,"uuid":"1238364706","full_name":"ej-east/redoubt","owner":"ej-east","description":"Hardened container images and reusable CI workflows with cosign signing and SBOM attestation.","archived":false,"fork":false,"pushed_at":"2026-05-27T20:07:30.000Z","size":772,"stargazers_count":1,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-27T22:07:51.535Z","etag":null,"topics":["ci-cd","container-security","cosign","devsecops","distroless","docker","dockerfile","ghcr","github-actions","hardened-images","image-signing","oci","reusable-workflows","sbom","sigstore","slsa","supply-chain-security","syft","trivy","vulnerability-scanning"],"latest_commit_sha":null,"homepage":null,"language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ej-east.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-14T03:55:18.000Z","updated_at":"2026-05-22T15:23:24.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ej-east/redoubt","commit_stats":null,"previous_names":["ej-east/bedrock","ej-east/redoubt"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ej-east/redoubt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ej-east%2Fredoubt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ej-east%2Fredoubt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ej-east%2Fredoubt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ej-east%2Fredoubt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ej-east","download_url":"https://codeload.github.com/ej-east/redoubt/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ej-east%2Fredoubt/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34041088,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-07T02:00:07.652Z","response_time":124,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci-cd","container-security","cosign","devsecops","distroless","docker","dockerfile","ghcr","github-actions","hardened-images","image-signing","oci","reusable-workflows","sbom","sigstore","slsa","supply-chain-security","syft","trivy","vulnerability-scanning"],"created_at":"2026-06-07T22:35:17.498Z","updated_at":"2026-06-07T22:35:19.073Z","avatar_url":"https://github.com/ej-east.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# redoubt\n\n`redoubt` is a collection of hardened, reproducible container images and reusable CI workflows for building, scanning, signing, and attestation. `redoubt` makes it easy for downstream services to ship on a known secure foundation without re-inventing the supply-chain wheel.\n\n## Overview\n\nEvery image in this repository goes through the same pipeline:\n\n![Pipeline Diagram](diagrams/redoubt-diagram.png)\n\n1. **Build** - [Buildx](https://github.com/docker/buildx) builds multi-architecture images (`linux/amd64`, `linux/arm64`) on a minimal base ([distroless](https://github.com/GoogleContainerTools/distroless) for general images, UBI Micro for FIPS images).\n2. **Scan** - [Trivy](https://github.com/aquasecurity/trivy) performs a security scan. It gates on HIGH/CRITICAL CVEs and uploads a [SARIF](https://sarifweb.azurewebsites.net/) to GitHub code scanning\n3. **Sign** - [Cosign](https://github.com/sigstore/cosign) keylessly signs images using the workflow's OIDC identity. The signatures are logged to [Rekor](https://docs.sigstore.dev/logging/overview/).\n4. **Attest** - [Syft](https://github.com/anchore/syft) generates an SBOM which is subsequently attached to the image as a cosign attestation.\n\nImages are published to GHCR at `ghcr.io/ej-east/\u003cimage-name\u003e`. The build pipeline also exposes a reusable workflow at `.github/workflows/build-redoubt-image.yaml` that downstream repos call with `uses:`.\n\n## Quick Start\n\n### Pull and run\n\nPull `main` branch image:\n\n```sh\ndocker run --rm -p 8080:8080 \\\n  -v \"$PWD:/var/www:ro\" \\\n  ghcr.io/ej-east/static-base:main\n```\n\nPin to an immutable digest:\n\n```sh\ndocker pull ghcr.io/ej-east/static-base@sha256:\u003cdigest\u003e\n```\n\n### Use a baseline image\n\nUse the static webserver base image. This runs as nobody(UID 65532) and is distroless.\n\n```dockerfile\nFROM ghcr.io/ej-east/static-base:latest\nCOPY ./site /var/www\n```\n\n### Use the baseline CI\n\nYou can add a thin caller in your repo called: `.github/workflows/build-\u003cimage-name\u003e.yaml`\n\n```yaml\nname: build-\u003cimage-name\u003e\non:\n  push:\n    branches: [main]\n    paths:\n      - \"images/\u003cimage-name\u003e/**\"\n      - \".github/workflows/build-\u003cimage-name\u003e.yaml\"\n    tags:\n      - \"\u003cimage-name\u003e/v*\"\n  pull_request:\n    paths:\n      - \"images/\u003cimage-name\u003e/**\"\n      - \".github/workflows/build-\u003cimage-name\u003e.yaml\"\n  workflow_dispatch:\n\njobs:\n  build:\n    uses: ej-east/redoubt/.github/workflows/build-redoubt-image.yaml@main\n    with:\n      image-name: \u003cimage-name\u003e\n    permissions:\n      contents: read\n      packages: write\n      id-token: write\n      security-events: write\n```\n\nIt's recommended to pin to a commit SHA to mitigate possible supply chain attacks.\n\n### Verify a signed image\n\nYou need to install [cosign](https://github.com/sigstore/cosign)\n\n```bash\ncosign verify ghcr.io/ej-east/static-base:latest \\\n  --certificate-identity-regexp 'https://github.com/ej-east/redoubt/\\.github/workflows/build-redoubt-image\\.yaml@.*' \\\n  --certificate-oidc-issuer https://token.actions.githubusercontent.com\n```\n\nVerify/Download SBOM attestation:\n\n```bash\ncosign verify-attestation \\\n  --type spdxjson \\\n  --certificate-identity-regexp 'https://github.com/ej-east/redoubt/\\.github/workflows/build-redoubt-image\\.yaml@.*' \\\n  --certificate-oidc-issuer https://token.actions.githubusercontent.com \\\n  ghcr.io/ej-east/static-base:latest\n```\n\n## Image Catalog\n\n| Image Name                                                | Description                                                                                | Is FIPS? |\n| --------------------------------------------------------- | ------------------------------------------------------------------------------------------ | -------- |\n| `ghcr.io/ej-east/static-base`                             | Static webserver image for SPAs and docs sites.                                            | No       |\n| `ghcr.io/ej-east/golang` / `ghcr.io/ej-east/golang-build` | This container is designed to build and run golang images within a production environment. | Yes      |\n\n## Design Decisions\n\n### Different base options\n\nDifferent images use different base options. For example `static-base` uses Google's solution to Distroless while the `golang` image set uses Red Hat's Universal Base Image (UBI). UBI Micro carries FIPS 140-3 validated cryptograph and is the right choice for Federal workloads.\n\n### Multi-architecture by default\n\nEvery image is built for both `amd64` and `arm64`. Production environments are increasingly using `arm64` devices. It's important to produce production ready images for these machines.\n\n### SLSA Level\n\nImages currently meet the requirements for **SLSA Build Level 2**. This is achieved through the following: Buildx generates in-toto provenance with `provenance: mode=max`. The resulting attestation is signed by GitHub Actions' OIDC identity, and the build runs on a GitHub-hosted runner. This process satisfies L2's hosted, authenticated, non-falsifiable provenance criteria.\n\n**SLSA Build Level 3** is on the roadmap. Reaching it means adopting [`slsa-framework/slsa-github-generator`](https://github.com/slsa-framework/slsa-github-generator), instead of the current flow. The driver is that L3 is a FedRAMP requirement for certain workloads.\n\n### OpenSCAP\n\nProduction images are scanned against the [DISA STIG](https://public.cyber.mil/stigs/) profile using [OpenSCAP](https://www.open-scap.org/) and [ComplianceAsCode](https://github.com/ComplianceAsCode/content) (SSG) content.\n\n## License\n\nSee [LICENSE.md](LICENSE.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fej-east%2Fredoubt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fej-east%2Fredoubt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fej-east%2Fredoubt/lists"}