Docker images
Pull the matching ghcr.io tag:
docker pull ghcr.io/cloudfieldcz/shieldoo-gate:0.19.1
docker pull ghcr.io/cloudfieldcz/scanner-bridge:0.19.1Image pages:
shdg CLI
Push-from-CI client. Pre-built for Linux, macOS, and Windows:
| OS | Arch | Archive |
|---|---|---|
| Linux | x86_64 | shdg-0.19.1-linux-amd64.tar.gz |
| Linux | aarch64 | shdg-0.19.1-linux-arm64.tar.gz |
| macOS | Intel | shdg-0.19.1-darwin-amd64.tar.gz |
| macOS | Apple Silicon | shdg-0.19.1-darwin-arm64.tar.gz |
| Windows | x86_64 | shdg-0.19.1-windows-amd64.zip |
shdg version reports 0.19.1 to match the Docker tag.
Verify archive integrity with SHA256SUMS (also attached).
Supply-chain security
All artifacts are signed and carry SLSA build provenance (keyless, via GitHub OIDC + Sigstore).
- Images — cosign signature + SLSA provenance + CycloneDX SBOM attached as OCI referrers:
cosign verify ghcr.io/cloudfieldcz/shieldoo-gate:0.19.1 \ --certificate-identity-regexp 'https://github.com/cloudfieldcz/.+' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com gh attestation verify oci://ghcr.io/cloudfieldcz/shieldoo-gate:0.19.1 --repo cloudfieldcz/shieldoo-gate - shdg binaries — SLSA provenance:
gh attestation verify shdg-0.19.1-linux-amd64.tar.gz --repo cloudfieldcz/shieldoo-gate - Detached signatures — each archive and
SHA256SUMSalso ships a keyless*.sig+*.pemcert (recognised by OpenSSF Scorecard):The same provenance is also attached ascosign verify-blob \ --signature shdg-0.19.1-linux-amd64.tar.gz.sig \ --certificate shdg-0.19.1-linux-amd64.tar.gz.pem \ --certificate-identity-regexp 'https://github.com/cloudfieldcz/.+' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com shdg-0.19.1-linux-amd64.tar.gzshdg-0.19.1.intoto.jsonl. - SBOMs — the CycloneDX SBOMs dogfooded through the gate are attached (
*.cdx.json) with a detached cosign bundle (*.cdx.json.cosign.bundle):cosign verify-blob --bundle sbom-gate.cdx.json.cosign.bundle \ --certificate-identity-regexp 'https://github.com/cloudfieldcz/.+' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com sbom-gate.cdx.json
Changes (v0.19.0…v0.19.1)
- chore(deps): bump the gomod-minor-patch group across 1 directory with 5 updates (#122) (8782c8b)
- build(ci): bump github/codeql-action init/autobuild/analyze to v4.37.0 (#121) (76ff00c)
- chore(deps): bump scanner-bridge deps (guarddog 3.1.0, grpcio 1.82.1, openai 2.45.0) (#120) (9d2c814)
- chore(docker): bump python:3.13.14-slim digest to 2026-06-28 rebuild (#119) (459f4fe)
- chore(deps): bump the gomod-minor-patch group with 12 updates (#118) (0604332)
- chore(deps): bump the npm-minor-patch group across 1 directory with 9 updates (#112) (49bd414)
- build(ci): bump github/codeql-action/upload-sarif from 4.36.2 to 4.37.0 (#109) (80c7cc7)
- chore(deps): bump trivy to 0.72.0 (image + shdg bundled binary) (#116) (b280a69)
- build(ci): bump docker/setup-buildx-action from 4.1.0 to 4.2.0 (#101) (6b501ce)
- build(ci): bump docker/metadata-action from 6.1.0 to 6.2.0 (#99) (4348955)
- build(ci): bump docker/build-push-action from 7.2.0 to 7.3.0 (#97) (7d75230)
- build(ci): bump docker/login-action from 4.2.0 to 4.4.0 (#96) (d4a59ed)
- build: bump Go to 1.26.5 and govulncheck to v1.6.0 (#115) (9c074e0)