- Monitor for new Chainguard Images in your dedicated registry
- Verify integrity of the image by validating the digital signature with cosign
- Use chainctl image diff to determine if the new image remediates a Critical or High CVE
- Scan the image with grype and Prisma Cloud
- Create a PR that:
- Updates Helm with new image
- Lists the CVEs that will be remediated with the change
- Attaches the scan result
- Uses Chainguard Unique Tags for consistency and atomic rollbacks
- Deploy to a Kubernetes Cluster once PR is merged
- Adheres to security least privilege by using short-lived ephemeral tokens to:
- Authenticate to the Chainguard Registry using an assumed identity (using the ambient creds of each workflow invocation)
- Authenticate to GitHub (using octo-sts in place of a long-lived PAT)
- Signs commits using Sigstore/gitsign
- Run the scan workflow will populate the scan data for the very old redis-server-bitnami image:
- Run the updates workflow to generate a PR and updated scan results for both Grype and PrismaCloud
- Merge
- Profit
