Skip to content

Releases: toddysm/cssc-framework

Release list

v0.1.1

Choose a tag to compare

@toddysm toddysm released this 02 Jul 04:26
9eeee6c

What's new in v0.1.1

This release builds out the software supply-chain security (SSC) build pipeline for the CSSC Dashboard app and reorganizes the documentation around the CSSC stages.

Features

  • CSSC Dashboard microservices (Acquisition stage) — new apps/python-app microservices web dashboard (packages-service, issues-service, dashboard-web) with a shared cssc_common library, umbrella Helm chart, and kind-based local dev. (#100)
  • OCI multi-arch builds with annotations — the dashboard images are now built with buildx as OCI, multi-arch (linux/amd64 + linux/arm64) images carrying standard org.opencontainers.image.* and custom com.toddysm.* annotations at both the index and per-platform manifest scope. The base image is pinned by digest and created is reproducible via SOURCE_DATE_EPOCH. (#112)
  • SPDX SBOM attestation — an SPDX SBOM is generated per platform and published as an OCI 1.1 Referrers-API artifact. (#113, #119)
  • SLSA build provenance attestation — SLSA build provenance is generated per platform and published as an OCI 1.1 Referrers-API artifact. (#114, #120)
  • Semantic-version image tagging — images are tagged with the full semver set (major, minor, patch, and an immutable patch-<short-sha> build tag) derived from the latest published GitHub Release, plus com.toddysm.image.lineage and com.toddysm.image.tags annotations. No latest tag is published. (#129)

Documentation

  • Restructured docs/architecture/ and docs/guides/ around the five CSSC stages (Acquire / Build / Catalog / Deploy / Run). (#132)
  • Added the CSSC Dashboard microservices design and build-workflows architecture docs.
  • Added user guides for image tagging, reading image annotations, and verifying image attestations, and corrected the attestation/referrer terminology in the reference docs. (#130, #131)

Contributors

Full changelog: v0.1.0...v0.1.1

v0.1.0

Choose a tag to compare

@toddysm toddysm released this 28 Jun 22:14
69deeec

Overview

v0.1.0 is the initial release of the Container Supply Chain Security (CSSC) Framework — a GitHub Actions–based pipeline that brings third‑party base images into the organization under a controlled, auditable, and policy‑enforced flow. Images move from public registries into a quarantine repository, are scanned and validated, and are only promoted to a trusted golden repository after they pass security gates (with an optional human approval step).

Highlights

Image mirroring (Docker Hub → quarantine)

  • Reusable mirror workflows that copy upstream base images from the public Docker Hub registry into the internal quarantine repository.
  • Coverage for three base images: node, openjdk, and python (including a hardened "DHI" Python variant with referrers + SBOM mirroring).
  • Mirroring preserves referrers (signatures, SBOMs, attestations) so downstream validation has the full provenance to work with.

Promotion (quarantinegolden)

  • Reusable promote‑from‑quarantine workflows for the node, openjdk, and python images.
  • Vulnerability scanning (Trivy) and SBOM‑based scanning for hardened images before any image is promoted.
  • Human‑in‑the‑loop override approval: blocked promotions open a GitHub issue that acts as the approval gate, and proactive Slack notifications alert approvers so they can review and sign off.
  • A dedicated override path lets an approver consciously promote an image that didn't pass automated gates, with the decision tracked through the issue.

Operability

  • Workflows refactored into reusable composite actions for consistency and reuse across images.
  • Automatic CI‑failure issue filing via a workflow_run monitor, so pipeline failures are surfaced and tracked.
  • Node 24–compatible action versions throughout, and architecture/user documentation under docs/.

Known limitations

  • Mirroring and promotion currently cover the node, openjdk, and python base images only; other images require adding their own workflows.
  • Automatic schedules for the hardened Python workflows are disabled by default and must be enabled/triggered manually.
  • Override approval and Slack notifications depend on repository configuration (secrets, environments, Slack webhook) being set up per the docs.
  • Demo apps (Java, Node.js, Python) are skeletons intended to exercise the pipeline, not production workloads.

What's Changed

  • Integrating image sync into the main branch by @toddysm in #8
  • Integrated task trigger on image push and SBOM generation task by @toddysm in #9
  • Implemented synchronization of images and validations by @toddysm in #10
  • Added dockerfile for copacetic by @toddysm in #15
  • Completed acquire stage tasks by @toddysm in #16
  • Added basic test workflow by @toddysm in #17
  • Added base image verification before build by @toddysm in #18
  • Added notation setup step by @toddysm in #19
  • Added experimental flag for notation in the build workflow by @toddysm in #20
  • Implemented image lifecycle verification in the build stage by @toddysm in #21
  • Completed the vulnerability checks as part of the build stage by @toddysm in #23
  • Updated Github workflow by @toddysm in #24
  • Updated workflow trust policy with new registry name by @toddysm in #25
  • Updated ACR task for patching to add lifecycle metadata by @toddysm in #26
  • Fixed workflow name and updated arch diagram by @toddysm in #27
  • Updated arch diagram by @toddysm in #28
  • Updated diagram formats by @toddysm in #29
  • Updated demo script and added white bg arch diagram by @toddysm in #30
  • chore: reset repo content for custos demo by @toddysm in #31
  • feat: add skeleton for python, nodejs, and java demo apps by @toddysm in #32
  • feat: add base image mirror workflow and docs conventions by @toddysm in #33
  • Add mirror workflow for node:26-alpine into base/node by @toddysm in #34
  • Mirror images into quarantine/ namespace instead of base/ by @toddysm in #35
  • Add mirror workflow for openjdk:27-ea-slim into quarantine/openjdk by @toddysm in #36
  • Expand README with project overview and status badges by @toddysm in #37
  • docs: add architecture docs for image mirror workflows by @toddysm in #38
  • docs: add user guide for mirroring base images by @toddysm in #39
  • docs: use a descriptive README title by @toddysm in #40
  • feat(workflows): scan-and-promote workflows (quarantine → golden) by @toddysm in #46
  • feat(workflows): detailed per-image scan report by @toddysm in #47
  • fix(workflows): pin ORAS CLI to 1.3.0 supported by setup-oras by @toddysm in #48
  • fix(workflows): bump Trivy to v0.71.0 and setup-oras to v2.0.0 (Node 24) by @toddysm in #49
  • Add mirror & scan workflows for hardened python DHI by @toddysm in #53
  • DHI: mirror referrers + SBOM-based scanning for hardened images by @toddysm in #57
  • Refactor scan workflows into discrete, dependent steps by @toddysm in #58
  • Fix mirror step failing after a successful copy by @toddysm in #59
  • Refactor workflows into reusable composite actions by @toddysm in #60
  • Bump Node 20 actions to Node 24-compatible v5.0.0 by @toddysm in #61
  • Bump artifact actions to Node 24 and rename scan workflows to promote-from-quarantine by @toddysm in #62
  • Disable automatic schedules for hardened python workflows by @toddysm in #63
  • Clean up CodeQL workflow by removing languages by @toddysm in #73
  • feat: human-in-the-loop override approval for blocked promotions by @toddysm in #72
  • docs: guide for configuring override approval + Slack notifications by @toddysm in #75
  • Enable override approval + Slack alerts on all promote callers by @toddysm in #76
  • Fix override promotion failing on quarantine-delete error by @toddysm in #78
  • Design: automatic CI-failure issue filing (workflow_run monitor) by @toddysm in #79
  • feat: automatic CI-failure issue filing (workflow_run monitor) by @toddysm in #86

New Contributors

Full Changelog: https://github.com/toddysm/cssc-framework/commits/v0.1.0