Skip to content

v11: Added FIPS/STIG as container deployment option #8420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 3, 2025
+34 −0
Merged

v11: Added FIPS/STIG as container deployment option #8420

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c135a15
Added FIPS/STIG as container deployment option
cwarnermm Sep 22, 2025
8bb253d
Incorporated reviewer feedback
cwarnermm Sep 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions source/deployment-guide/server/containers/fips-stig.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
.. meta::
:name: robots
:content: noindex

:orphan:
:nosearch:

From Mattermost v11, each release provides two variants: a FIPS-compliant build and a non-FIPS build. This ensures that organizations with strict compliance requirements can adopt the FIPS version while others can continue with the standard release, both staying in sync with Mattermost’s overall product lifecycle.

Mattermost FIPS-compliant Docker images are built using Chainguard’s FIPS-certified base containers. These images help organizations meet stringent security requirements by ensuring compliance with the Federal Information Processing Standards (FIPS).

On top of this foundation, Mattermost product code itself is aligned with FIPS requirements, using only FIPS-approved cryptographic algorithms. This ensures that both the underlying container base and the application layer meet compliance expectations.

In addition, the Chainguard base images are STIG-hardened and rigorously scanned against the DISA General Purpose Operating System SRG, providing a robust and secure operational posture.

Mattermost FIPS Overview
-------------------------

Mattermost’s FIPS-compliant images are built using two Chainguard base images:

- `Build-Time Image <https://images.chainguard.dev/directory/image/go-msft-fips/overview>`_: Ensures compiled Mattermost binaries invoke OpenSSL through CGO for FIPS-compliance during compilation.
- `Runtime Image <https://images.chainguard.dev/directory/image/glibc-openssl-fips/overview>`_: Enforces FIPS compliance in the runtime environment using strict OpenSSL configurations.

All application-level code uses only FIPS-approved algorithms, ensuring that cryptographic requirements are consistently enforced across every layer of the system.

.. note::

The Mattermost FIPS image includes only prepackaged Boards, Playbooks, and Agents.
6 changes: 6 additions & 0 deletions source/deployment-guide/server/deploy-containers.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,12 @@ This deployment method shouldn't be used in production environments as it doesn'

Choose your preferred container platform below for specific deployment instructions:

.. tab:: FIPS/STIG
:parse-titles:

.. include:: containers/fips-stig.rst
:start-after: :nosearch:

.. tab:: Docker
:parse-titles:

Expand Down