Context-Aware Container Governance
ConCert is a command-line tool and governance service that bridges the gap between build-time software quality analysis and runtime enforcement in containerized deployments.
Existing tools address container security in isolation: scanners (Trivy, Grype) analyze images, signers (Cosign, Notation) attest provenance, and admission controllers (OPA, Gatekeeper) enforce policies at deployment. However, once a container is running, the evidence that informed the deployment decision -- SBOM, vulnerability analysis, test results, and provenance metadata -- is no longer associated with the workload. When policies evolve or new vulnerabilities are disclosed, operators lack the structured context to identify affected containers and respond selectively.
ConCert addresses this through two mechanisms:
-
Sealed governance artifact.
concert buildpackages an OCI container image together with its CycloneDX SBOM, vulnerability scan, digital signature, and test evidence into a portable.concertarchive. The signed manifest serves as the root of trust. -
Continuous runtime enforcement. A background orchestrator periodically re-evaluates all managed containers against the active policy set. Policy changes automatically propagate to running workloads. Predicate-based selectors enable targeted incident response:
concert stop 'VULNs includes CVE-2024-3094'
ConCert evaluates artifacts against six configurable policy dimensions:
| Dimension | Example |
|---|---|
| Vulnerability severity gate | Deny containers with CRITICAL or HIGH CVEs |
| CVE deny list | Block specific known vulnerabilities |
| Package deny list | Reject artifacts containing specific packages |
| Test suite requirements | Require passing integration or unit test evidence |
| Cryptographic trust | Only admit artifacts signed by trusted keys |
| Contributor governance | Block artifacts with packages from compromised maintainers |
ConCert uses a Nix flake for reproducible setup. All dependencies are declared and pinned.
git clone https://github.com/containerutils/ConCert.git && cd ConCert
nix develop
concert --helpconcert build docker.io/library/alpine:3.20 -o /tmp/alpine.concertconcert inspect /tmp/alpine.concertconcert install rules/production.json # deny CRITICAL vulnerabilities
concert service start # start the governance service
concert run /tmp/alpine.concert --name my-app
concert list # view managed containersconcert enforce rules/strict.json # tighten policy -- orchestrator re-evaluates
concert list # non-compliant containers are now BLOCKEDconcert stop 'VULNs includes CVE-2024-3094' # stop affected containers by CVE
concert stop 'PKGs includes *flask*' # stop by package name
The service operates as a governance layer on top of standard container engines (Docker, Podman). ConCert does not modify the container runtime -- it intercepts deployment requests, evaluates policy, and delegates execution to the underlying engine.
src/main/kotlin/concert/
cli/ Command-line interface (Clikt)
core/ .concert artifact parser, rule evaluator, data models
engine/ Container engine abstraction (Docker, Podman)
service/ HTTP service, orchestrator, SQLite state store
build/ Artifact builder (Syft, Grype, Minisign integration)
src/test/kotlin/ 96 automated tests
rules/ Example governance policies
demo/ Reproducible demo script (VHS tape)
A screencast demonstrating the full governance workflow is available at the project page.
The demo is defined as a reproducible VHS tape script and can be re-recorded:
vhs demo/demo.tape- Language: Kotlin (JVM)
- Container engines: Docker, Podman (via
ContainerEngineabstraction) - SBOM generation: Syft (CycloneDX format)
- Vulnerability scanning: Grype
- Signing: Minisign
- State store: SQLite
- Dev environment: Nix flake (reproducible, all dependencies pinned)
This project is open-source software.