Skip to content

Latest commit

 

History

History

traefik

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 

Traefik

Minimal Wolfi-based traefik HTTP, reverse proxy, mail proxy, and a generic TCP/UDP proxy server

Pull Image

docker pull ghcr.io/gitguardian/traefik:latest

✅ Verify the Provenance

GitHub CLI (gh) can be used to retrieve the build provenance, which details the exact commit, workflow, and runner that produced the image:

  • Production image
gh attestation verify \
  --owner gitguardian \
  oci://ghcr.io/gitguardian/wolfi/traefik:latest
  • Shell image
gh attestation verify \
  --owner gitguardian \
  oci://ghcr.io/gitguardian/wolfi/traefik:latest-shell

📦 Image Verification

All official images are cryptographically signed using Sigstore Cosign.

✅ Verify the Image Signature

To ensure the image is authentic and has not been tampered with, use the following command:

  • Production image
cosign verify \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \
  ghcr.io/gitguardian/wolfi/traefik:latest | jq
  • Shell image
cosign verify \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \
  ghcr.io/gitguardian/wolfi/traefik:latest-shell | jq

📦 Image SBOMs

To enhance transparency, we generate SBOMs for each release. SBOMs are available directly from the container registry and can be verified using using Sigstore Cosign.

✅ Verify the Image Attestations

  • Production image
cosign verify-attestation \
  --type=https://spdx.dev/Document \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \
  ghcr.io/gitguardian/wolfi/traefik:latest
  • Shell image
cosign verify-attestation \
  --type=https://spdx.dev/Document \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \
  ghcr.io/gitguardian/wolfi/traefik:latest-shell

This will pull in the signature for the attestation specified by the --type parameter, which in this case is the SPDX attestation. You will receive output that verifies the SBOM attestation signature in cosign's transparency log:

Verification for ghcr.io/gitguardian/wolfi/traefik:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
Certificate subject: https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main
Certificate issuer URL: https://token.actions.githubusercontent.com
GitHub Workflow Trigger: push
GitHub Workflow SHA: ced6b3cfab1341509de55bff7c0389ce81f73aae
GitHub Workflow Name: python
GitHub Workflow Repository: GitGuardian/wolfi
GitHub Workflow Ref: refs/heads/main
...

✅ Download the Image SBOM Attestations

To download an attestation, use the cosign download attestation command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the python image on linux/amd64:

  • Production image
cosign download attestation \
  --platform=linux/amd64 \
  --predicate-type=https://spdx.dev/Document \
  ghcr.io/gitguardian/wolfi/traefik:latest | jq -r .payload | base64 -d | jq .predicate
  • Shell image
cosign download attestation \
  --platform=linux/amd64 \
  --predicate-type=https://spdx.dev/Document \
  ghcr.io/gitguardian/wolfi/traefik:latest-shell | jq -r .payload | base64 -d | jq .predicate