Releases: toddysm/cssc-framework
Releases · toddysm/cssc-framework
Release list
v0.1.1
What's new in v0.1.1
This release builds out the software supply-chain security (SSC) build pipeline for the CSSC Dashboard app and reorganizes the documentation around the CSSC stages.
Features
- CSSC Dashboard microservices (Acquisition stage) — new
apps/python-appmicroservices web dashboard (packages-service,issues-service,dashboard-web) with a sharedcssc_commonlibrary, umbrella Helm chart, and kind-based local dev. (#100) - OCI multi-arch builds with annotations — the dashboard images are now built with
buildxas OCI, multi-arch (linux/amd64+linux/arm64) images carrying standardorg.opencontainers.image.*and customcom.toddysm.*annotations at both the index and per-platform manifest scope. The base image is pinned by digest andcreatedis reproducible viaSOURCE_DATE_EPOCH. (#112) - SPDX SBOM attestation — an SPDX SBOM is generated per platform and published as an OCI 1.1 Referrers-API artifact. (#113, #119)
- SLSA build provenance attestation — SLSA build provenance is generated per platform and published as an OCI 1.1 Referrers-API artifact. (#114, #120)
- Semantic-version image tagging — images are tagged with the full semver set (
major,minor,patch, and an immutablepatch-<short-sha>build tag) derived from the latest published GitHub Release, pluscom.toddysm.image.lineageandcom.toddysm.image.tagsannotations. Nolatesttag is published. (#129)
Documentation
- Restructured
docs/architecture/anddocs/guides/around the five CSSC stages (Acquire / Build / Catalog / Deploy / Run). (#132) - Added the CSSC Dashboard microservices design and build-workflows architecture docs.
- Added user guides for image tagging, reading image annotations, and verifying image attestations, and corrected the attestation/referrer terminology in the reference docs. (#130, #131)
Contributors
Full changelog: v0.1.0...v0.1.1
v0.1.0
Overview
v0.1.0 is the initial release of the Container Supply Chain Security (CSSC) Framework — a GitHub Actions–based pipeline that brings third‑party base images into the organization under a controlled, auditable, and policy‑enforced flow. Images move from public registries into a quarantine repository, are scanned and validated, and are only promoted to a trusted golden repository after they pass security gates (with an optional human approval step).
Highlights
Image mirroring (Docker Hub → quarantine)
- Reusable mirror workflows that copy upstream base images from the public Docker Hub registry into the internal
quarantinerepository. - Coverage for three base images:
node,openjdk, andpython(including a hardened "DHI" Python variant with referrers + SBOM mirroring). - Mirroring preserves referrers (signatures, SBOMs, attestations) so downstream validation has the full provenance to work with.
Promotion (quarantine → golden)
- Reusable promote‑from‑quarantine workflows for the
node,openjdk, andpythonimages. - Vulnerability scanning (Trivy) and SBOM‑based scanning for hardened images before any image is promoted.
- Human‑in‑the‑loop override approval: blocked promotions open a GitHub issue that acts as the approval gate, and proactive Slack notifications alert approvers so they can review and sign off.
- A dedicated override path lets an approver consciously promote an image that didn't pass automated gates, with the decision tracked through the issue.
Operability
- Workflows refactored into reusable composite actions for consistency and reuse across images.
- Automatic CI‑failure issue filing via a
workflow_runmonitor, so pipeline failures are surfaced and tracked. - Node 24–compatible action versions throughout, and architecture/user documentation under
docs/.
Known limitations
- Mirroring and promotion currently cover the
node,openjdk, andpythonbase images only; other images require adding their own workflows. - Automatic schedules for the hardened Python workflows are disabled by default and must be enabled/triggered manually.
- Override approval and Slack notifications depend on repository configuration (secrets, environments, Slack webhook) being set up per the docs.
- Demo apps (Java, Node.js, Python) are skeletons intended to exercise the pipeline, not production workloads.
What's Changed
- Integrating image sync into the main branch by @toddysm in #8
- Integrated task trigger on image push and SBOM generation task by @toddysm in #9
- Implemented synchronization of images and validations by @toddysm in #10
- Added dockerfile for copacetic by @toddysm in #15
- Completed acquire stage tasks by @toddysm in #16
- Added basic test workflow by @toddysm in #17
- Added base image verification before build by @toddysm in #18
- Added notation setup step by @toddysm in #19
- Added experimental flag for notation in the build workflow by @toddysm in #20
- Implemented image lifecycle verification in the build stage by @toddysm in #21
- Completed the vulnerability checks as part of the build stage by @toddysm in #23
- Updated Github workflow by @toddysm in #24
- Updated workflow trust policy with new registry name by @toddysm in #25
- Updated ACR task for patching to add lifecycle metadata by @toddysm in #26
- Fixed workflow name and updated arch diagram by @toddysm in #27
- Updated arch diagram by @toddysm in #28
- Updated diagram formats by @toddysm in #29
- Updated demo script and added white bg arch diagram by @toddysm in #30
- chore: reset repo content for custos demo by @toddysm in #31
- feat: add skeleton for python, nodejs, and java demo apps by @toddysm in #32
- feat: add base image mirror workflow and docs conventions by @toddysm in #33
- Add mirror workflow for node:26-alpine into base/node by @toddysm in #34
- Mirror images into quarantine/ namespace instead of base/ by @toddysm in #35
- Add mirror workflow for openjdk:27-ea-slim into quarantine/openjdk by @toddysm in #36
- Expand README with project overview and status badges by @toddysm in #37
- docs: add architecture docs for image mirror workflows by @toddysm in #38
- docs: add user guide for mirroring base images by @toddysm in #39
- docs: use a descriptive README title by @toddysm in #40
- feat(workflows): scan-and-promote workflows (quarantine → golden) by @toddysm in #46
- feat(workflows): detailed per-image scan report by @toddysm in #47
- fix(workflows): pin ORAS CLI to 1.3.0 supported by setup-oras by @toddysm in #48
- fix(workflows): bump Trivy to v0.71.0 and setup-oras to v2.0.0 (Node 24) by @toddysm in #49
- Add mirror & scan workflows for hardened python DHI by @toddysm in #53
- DHI: mirror referrers + SBOM-based scanning for hardened images by @toddysm in #57
- Refactor scan workflows into discrete, dependent steps by @toddysm in #58
- Fix mirror step failing after a successful copy by @toddysm in #59
- Refactor workflows into reusable composite actions by @toddysm in #60
- Bump Node 20 actions to Node 24-compatible v5.0.0 by @toddysm in #61
- Bump artifact actions to Node 24 and rename scan workflows to promote-from-quarantine by @toddysm in #62
- Disable automatic schedules for hardened python workflows by @toddysm in #63
- Clean up CodeQL workflow by removing languages by @toddysm in #73
- feat: human-in-the-loop override approval for blocked promotions by @toddysm in #72
- docs: guide for configuring override approval + Slack notifications by @toddysm in #75
- Enable override approval + Slack alerts on all promote callers by @toddysm in #76
- Fix override promotion failing on quarantine-delete error by @toddysm in #78
- Design: automatic CI-failure issue filing (workflow_run monitor) by @toddysm in #79
- feat: automatic CI-failure issue filing (workflow_run monitor) by @toddysm in #86
New Contributors
Full Changelog: https://github.com/toddysm/cssc-framework/commits/v0.1.0