This document outlines the security policies for ggbridge, including how to report vulnerabilities, verify artifact integrity, and understand the security measures in place.
We take security seriously. If you discover a vulnerability in ggbridge, please report it using our confidentially our Vulnerability Disclosure Portal.
Please avoid reporting security issues in public GitHub issues or discussions.
Version | Supported |
---|---|
Latest | β Security updates |
Older | β No updates |
We strongly recommend using the latest version of ggbridge to ensure you receive the latest security patches.
To ensure the integrity of our software, we provide a verifiable provenance for our Docker images. You can find all provenance attestations here.
Our ggbridge container images are built using GitHub Actions and follow best practices for supply chain security with a declarative approach leveraging apko.
- Base Image:
wolfi-base
- Build System: GitHub Actions (workflow:
release.yml
) - Package Management: melange for reproducible builds
- Declarative Build Spec:
apko.yaml
defines the image composition
GitHub CLI (gh) can be used to retrieve the build provenance, which details the exact commit, workflow, and runner that produced the image:
- Production image
gh attestation verify \
--owner gitguardian \
oci://ghcr.io/gitguardian/ggbridge:latest
- Shell image
gh attestation verify \
--owner gitguardian \
oci://ghcr.io/gitguardian/ggbridge:latest-shell
All official images are cryptographically signed using Sigstore Cosign.
Retrieve the latest tag form the GitHub repository:
LATEST_TAG=$(gh api repos/GitGuardian/ggbridge/releases/latest --jq '.tag_name')
To ensure the image is authentic and has not been tampered with, use the following command:
- Production image
cosign verify \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity=https://github.com/GitGuardian/ggbridge/.github/workflows/release.yaml@refs/tags/${LATEST_TAG} \
ghcr.io/gitguardian/ggbridge:latest | jq
- Shell image
cosign verify \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity=https://github.com/GitGuardian/ggbridge/.github/workflows/release.yaml@refs/tags/${LATEST_TAG} \
ghcr.io/gitguardian/ggbridge:latest-shell | jq
To enhance transparency, we generate SBOMs for each release. SBOMs are available directly from the container registry and can be verified using using Sigstore Cosign.
Retrieve the latest tag form the GitHub repository:
LATEST_TAG=$(gh api repos/GitGuardian/ggbridge/releases/latest --jq '.tag_name')
- Production image
cosign verify-attestation \
--type=https://spdx.dev/Document \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity=https://github.com/GitGuardian/ggbridge/.github/workflows/release.yaml@refs/tags/${LATEST_TAG} \
ghcr.io/gitguardian/ggbridge:latest
- Shell image
cosign verify-attestation \
--type=https://spdx.dev/Document \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity=https://github.com/GitGuardian/ggbridge/.github/workflows/release.yaml@refs/tags/${LATEST_TAG} \
ghcr.io/gitguardian/ggbridge:latest-shell
This will pull in the signature for the attestation specified by the --type parameter, which in this case is the SPDX attestation. You will receive output that verifies the SBOM attestation signature in cosign's transparency log:
Verification for ghcr.io/gitguardian/ggbridge:latest --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
Certificate subject: https://github.com/GitGuardian/ggbridge/.github/workflows/release.yaml@refs/tags/v1.0.2
Certificate issuer URL: https://token.actions.githubusercontent.com
GitHub Workflow Trigger: push
GitHub Workflow SHA: 48c44edae7bed5d3e3d9be69b23b41b178ab642c
GitHub Workflow Name: Release
GitHub Workflow Repository: GitGuardian/ggbridge
GitHub Workflow Ref: refs/tags/v1.0.2
...
To download an attestation, use the cosign
download attestation command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the python image on linux/amd64
:
- Production image
cosign download attestation \
--platform=linux/amd64 \
--predicate-type=https://spdx.dev/Document \
ghcr.io/gitguardian/ggbridge:latest | jq -r .payload | base64 -d | jq .predicate
- Shell image
cosign download attestation \
--platform=linux/amd64 \
--predicate-type=https://spdx.dev/Document \
ghcr.io/gitguardian/ggbridge:latest-shell | jq -r .payload | base64 -d | jq .predicate