Skip to content

chainguard-dev/auto-deploy-demo

Repository files navigation

Auto Update a Helm Deployment

  • Monitor for new Chainguard Images in your dedicated registry
  • Verify integrity of the image by validating the digital signature with cosign
  • Use chainctl image diff to determine if the new image remediates a Critical or High CVE
  • Scan the image with grype and Prisma Cloud
  • Create a PR that:
    • Updates Helm with new image
    • Lists the CVEs that will be remediated with the change
    • Attaches the scan result
    • Uses Chainguard Unique Tags for consistency and atomic rollbacks
  • Deploy to a Kubernetes Cluster once PR is merged
  • Adheres to security least privilege by using short-lived ephemeral tokens to:
    • Authenticate to the Chainguard Registry using an assumed identity (using the ambient creds of each workflow invocation)
    • Authenticate to GitHub (using octo-sts in place of a long-lived PAT)
    • Signs commits using Sigstore/gitsign

Usage

  • Run the scan workflow will populate the scan data for the very old redis-server-bitnami image: image
  • Run the updates workflow to generate a PR and updated scan results for both Grype and PrismaCloud image
  • Merge
  • Profit image image

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published