Minimal Wolfi-based nginx HTTP, reverse proxy, mail proxy, and a generic TCP/UDP proxy server
docker pull ghcr.io/gitguardian/nginx:latest
GitHub CLI (gh) can be used to retrieve the build provenance, which details the exact commit, workflow, and runner that produced the image:
- Production image
gh attestation verify \
--owner gitguardian \
oci://ghcr.io/gitguardian/wolfi/nginx:latest
- Shell image
gh attestation verify \
--owner gitguardian \
oci://ghcr.io/gitguardian/wolfi/nginx:latest-shell
All official images are cryptographically signed using Sigstore Cosign.
To ensure the image is authentic and has not been tampered with, use the following command:
- Production image
cosign verify \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \
ghcr.io/gitguardian/wolfi/nginx:latest | jq
- Shell image
cosign verify \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \
ghcr.io/gitguardian/wolfi/nginx:latest-shell | jq
To enhance transparency, we generate SBOMs for each release. SBOMs are available directly from the container registry and can be verified using using Sigstore Cosign.
- Production image
cosign verify-attestation \
--type=https://spdx.dev/Document \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \
ghcr.io/gitguardian/wolfi/nginx:latest
- Shell image
cosign verify-attestation \
--type=https://spdx.dev/Document \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \
ghcr.io/gitguardian/wolfi/nginx:latest-shell
This will pull in the signature for the attestation specified by the --type parameter, which in this case is the SPDX attestation. You will receive output that verifies the SBOM attestation signature in cosign's transparency log:
Verification for ghcr.io/gitguardian/wolfi/nginx:latest --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
Certificate subject: https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main
Certificate issuer URL: https://token.actions.githubusercontent.com
GitHub Workflow Trigger: push
GitHub Workflow SHA: ced6b3cfab1341509de55bff7c0389ce81f73aae
GitHub Workflow Name: python
GitHub Workflow Repository: GitGuardian/wolfi
GitHub Workflow Ref: refs/heads/main
...
To download an attestation, use the cosign
download attestation command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the python image on linux/amd64
:
- Production image
cosign download attestation \
--platform=linux/amd64 \
--predicate-type=https://spdx.dev/Document \
ghcr.io/gitguardian/wolfi/nginx:latest | jq -r .payload | base64 -d | jq .predicate
- Shell image
cosign download attestation \
--platform=linux/amd64 \
--predicate-type=https://spdx.dev/Document \
ghcr.io/gitguardian/wolfi/nginx:latest-shell | jq -r .payload | base64 -d | jq .predicate