Enterprise Security

Security-first container infrastructure

ImageSentinel is built from the ground up with security as the foundation. Every image is signed, verified, and continuously monitored.

Security Features

Cryptographic Image Signing

Every image is signed using Sigstore's keyless signing infrastructure. Signatures are recorded in a tamper-evident transparency log, enabling verification before deployment.

  • Keyless signing with Sigstore Cosign
  • Transparency log entries for all signatures
  • Verification in CI/CD pipelines
  • Policy enforcement with admission controllers
terminal
# Verify image signature
cosign verify registry.imagesentinel.io/python:3.12 \
  --certificate-identity-regexp=".*@imagesentinel.io" \
  --certificate-oidc-issuer="https://accounts.google.com"

✓ Transparency log entry verified
✓ Signature verified against certificate
✓ Certificate chain verified

Build Reproducibility

Deterministic builds ensure that the same source always produces the same binary output. This enables independent verification and audit of our build process.

  • Hermetic build environment
  • Pinned dependencies with checksums
  • Reproducible toolchains
  • Independent build verification
terminal
# Verify build reproducibility
imagesentinel verify-build python:3.12-hardened

Build Info:
  Source:     github.com/imagesentinel/images@v1.2.3
  Builder:    github-actions
  Timestamp:  2025-01-15T10:30:00Z

Reproducibility:
  ✓ Source hash matches
  ✓ Build steps verified
  ✓ Output digest: sha256:abc123...

SLSA Compliance

ImageSentinel images meet SLSA (Supply-chain Levels for Software Artifacts) Level 3 requirements, providing strong guarantees about build integrity and provenance.

  • Isolated build environment
  • Signed provenance attestations
  • Non-falsifiable build metadata
  • Audit trail for all builds
slsa-provenance.json
# View SLSA provenance
cosign verify-attestation \
  --type slsaprovenance \
  registry.imagesentinel.io/python:3.12

{
  "predicateType": "https://slsa.dev/provenance/v1",
  "predicate": {
    "buildDefinition": {
      "buildType": "https://slsa.dev/container-build/v1"
    },
    "runDetails": {
      "builder": {
        "id": "https://github.com/imagesentinel/builder"
      }
    }
  }
}

SBOM Transparency

Complete Software Bill of Materials for every image. Know exactly what packages, libraries, and dependencies are included in your containers.

  • SPDX and CycloneDX formats
  • Full dependency tree with versions
  • License information for compliance
  • VEX (Vulnerability Exploitability eXchange) attestations
sbom.json
# Download SBOM
imagesentinel sbom python:3.12-hardened \
  --format cyclonedx --output sbom.json

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "components": [
    {
      "type": "library",
      "name": "python",
      "version": "3.12.1",
      "purl": "pkg:deb/debian/python3.12@3.12.1"
    }
  ]
}

CVE Remediation Pipeline

Continuous monitoring and automated patching. When new vulnerabilities are discovered, we rebuild and publish patched images within hours, not weeks.

  • Real-time CVE monitoring
  • Automated rebuild triggers
  • Patch verification testing
  • Webhook notifications for updates
.github/workflows/cve-update.yml
# CVE remediation workflow
name: ImageSentinel Update

on:
  repository_dispatch:
    types: [imagesentinel-cve-patch]

jobs:
  update:
    runs-on: ubuntu-latest
    steps:
      - name: Pull patched image
        run: |
          docker pull $IMAGE:$NEW_TAG
          # Image already verified and signed
          
      - name: Deploy update
        run: kubectl set image deployment/app ...

Rootless by Default

All ImageSentinel containers run as non-root users by default. Defense-in-depth security that limits the impact of potential container escapes.

  • Non-root user execution
  • Read-only filesystem support
  • No setuid binaries
  • Minimal capabilities
Dockerfile
# Rootless container execution
FROM registry.imagesentinel.io/python:3.12

# Already configured with non-root user
USER 65532:65532

# Read-only filesystem support
# No shell, no package manager
# Minimal attack surface

ENTRYPOINT ["python", "app.py"]

Compliance & Certifications

SLSA L3

Supply chain security

SOC 2

Type II in progress

FedRAMP

Roadmap Q3 2025

Ready to secure your containers?

Get started with hardened container images today.

Contact Security TeamView Documentation