- Monitor for new Chainguard Images in your dedicated registry
- Verify integrity of the image by validating the digital signature with cosign
- Use chainctl image diff to determine if the new image remediates a Critical or High CVE
- Scan the image with grype and Prisma Cloud
- Create a PR that:
- Updates Helm with new image
- Lists the CVEs that will be remediated with the change
- Attaches the scan result
- Uses Chainguard Unique Tags for consistency and atomic rollbacks
- Deploy to a Kubernetes Cluster once PR is merged
- Adheres to security least privilege by using short-lived ephemeral tokens to:
- Authenticate to the Chainguard Registry using an assumed identity (using the ambient creds of each workflow invocation)
- Authenticate to GitHub (using octo-sts in place of a long-lived PAT)
- Signs commits using Sigstore/gitsign
-
Notifications
You must be signed in to change notification settings - Fork 0
License
chainguard-dev/auto-deploy-demo
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
About
No description, website, or topics provided.
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published