FIPS ValidatedSTIG HardenedConnection PoolingHigh Performance
Cleanstart Image Security and SBOM Verification
All Cleanstart container images include verifiable signatures and comprehensive SBOMs (Software Bill of Materials), empowering users to authenticate the origin of every image build and to access a detailed inventory of all included components.
To download and verify image attestations, ensure you have the following tools installed:
cosign — for signing and verifying container images.
jq — for processing JSON data from attestation output.
SLSA Provenance Attestation
With every image we provide, you can now download a verifiable SLSA v0.2 provenance attestation. This attestation is a signed document attached to the image, serving as a secure and tamper-proof record of its creation.
By extracting this provenance, you gain full transparency into the image's build process, including:
The Artifact: The exact image identified by its unique cryptographic digest.
The Recipe: The build instructions, dependencies, and parameters used to create it.
The Builder: The trusted platform that generated the image, along with timestamps for the build.
This feature allows you to verify the origin and integrity of the images you use, ensuring they meet the highest standards of software supply chain security.
Image Attestation Registries and Tags
Managing and retrieving image attestations using specific registries and tags.
More specifically, it covers:
The connection between image builds and attestations.
The purpose of different registries (clnstrt-images.clnstrt.dev/registry for "Starter" images and clnstrt-images.clnstrt.dev/$ORGANIZATION for "Production" images).
The role of tags (like latest) in fetching attestations.
Download SBOM
Obtain the Software Bill of Materials (SBOM) for your container image for a complete component inventory