Skip to content

Feature: Container Image Signing, SBOM, and Attestation #96

New issue
New issue
Open
Open
Feature: Container Image Signing, SBOM, and Attestation#96
Labels
architectureTriggers Simple Forge's Software Architect role to start working on the issue
@simple-container-forge

Description

@simple-container-forge
simple-container-forge
bot
opened on Feb 4, 2026

Feature Design Request

Parent Issue: #93
Base Branch: simple-forge/issue-93-feature-request-container-imag-t9y6ga

Problem

Simple Container users deploying to AWS Marketplace, government contracts, or enterprise customers need to meet supply chain security compliance requirements (NIST SP 800-218, SLSA Level 2+, Executive Order 14028). Currently they maintain complex bash scripts (2,400+ lines) outside of Simple Container workflows. This feature adds optional container security capabilities directly to the sc CLI and YAML configuration.

Scope

Add optional security features to Simple Container: (1) Image signing with Cosign (keyless OIDC or key-based), (2) SBOM generation with Syft (CycloneDX/SPDX formats), (3) SLSA provenance attestations, (4) Vulnerability scanning with Grype and Trivy. All features integrate seamlessly into existing sc deploy and sc build commands via YAML configuration. Features are optional and disabled by default for backwards compatibility. Implementation leverages external tools via subprocess invocation rather than embedded libraries.

Acceptance Criteria

  • Users can enable image signing via YAML configuration in client.yaml with support for keyless OIDC signing and key-based signing
  • Users can generate SBOMs (CycloneDX or SPDX format) via Syft integration and attach as signed attestations to container images
  • Users can generate and attach SLSA v1.0 provenance attestations with automatic CI/CD metadata extraction (GitHub Actions, GitLab CI, etc.)
  • Users can scan images for vulnerabilities using Grype and/or Trivy with configurable fail-on-severity thresholds and DefectDojo integration
  • All security operations integrate into existing sc deploy and sc build commands when enabled via configuration
  • Security features work in parallel where possible (SBOM generation, signing, scanning) with optimized performance
  • Comprehensive error handling with retry logic for transient failures and clear actionable error messages
  • Full backwards compatibility - existing configurations without security block work unchanged with zero performance impact
  • CI/CD environment auto-detection for OIDC signing and provenance metadata (GitHub Actions, GitLab CI, CircleCI, Azure DevOps)
  • Registry compatibility with graceful fallbacks - works with AWS ECR, GCR, Harbor, Docker Hub, Azure ACR with appropriate degradation for limited attestation support
  • Complete documentation including getting started guide, configuration reference, CLI reference, how-to guides, troubleshooting guide, and CI/CD integration examples
  • Compliance coverage for NIST SP 800-218 SSDF (PS.1.1, PS.3.1, PS.3.2, RV.1.1, RV.1.3), SLSA Level 2-3, and Executive Order 14028 requirements

Documentation

  • docs/product-manager/container-security/requirements.md
  • docs/product-manager/container-security/technical-constraints.md
  • docs/product-manager/container-security/task-breakdown.md
  • docs/product-manager/container-security/SUMMARY.md

Notes

Comprehensive product requirements with 6-phase implementation plan (17 weeks). Phase 1: Core Signing (4 weeks), Phase 2: SBOM Generation (3 weeks), Phase 3: Provenance (2 weeks), Phase 4: Vulnerability Scanning (3 weeks), Phase 5: Integration and Optimization (3 weeks), Phase 6: Documentation and Launch (2 weeks). Resource requirements: 2 backend engineers full-time, 1 DevOps engineer 50% time, 1 QA engineer 50% time, 1 technical writer full-time Phase 6. All features designed to leverage existing Simple Container architecture (YAML configuration, secret management, template system, CLI patterns) with zero breaking changes.

Dependencies

  • External tools: Cosign v3.0.2+, Syft v1.41.0+, Grype v0.106.0+, Trivy v0.68.2+ must be available in execution environment
  • Container registries must support OCI image format; attestation support varies by registry (ECR, GCR, Harbor have full support; Docker Hub has partial support)
  • For keyless signing: CI/CD environment must support OIDC token issuance (GitHub Actions requires id-token: write permission)
  • Simple Container existing features: secret management system for storing signing keys and API tokens, YAML configuration parsing and validation, CLI command framework

Priority: high

This issue was automatically created by the Multi-Role Orchestration system.

Metadata

Metadata

Assignees

No one assigned

    Labels

    architectureTriggers Simple Forge's Software Architect role to start working on the issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions