Skip to content

toddysm/cssc-framework

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

173 Commits
.github/workflows
.github/workflows
 
 
apps
apps
 
 
docs
docs
 
 
.gitignore
.gitignore
 
 
CODEOWNERS
CODEOWNERS
 
 
LICENSE
LICENSE
 
 
MAINTAINERS
MAINTAINERS
 
 
README.md
README.md
 
 

Repository files navigation

cssc-framework

GitHub issues GitHub pull requests License

Containers Secure Supply Chain (CSSC) Framework implementation — a hands-on demonstration repository that shows how to put the practices from the Containers Secure Supply Chain framework and the Custos project into action.

Overview

Securing a container supply chain is not a single step — it spans acquiring upstream artifacts, building on trusted bases, scanning and patching, signing, generating SBOMs, and enforcing policy at deploy time. This repository brings those stages together as working, runnable examples so you can see how each piece fits.

It is intended as a demonstration and reference, not a production system. The samples are deliberately small so the security mechanics stay front and center.

What's here today

The repository currently demonstrates the supply chain stages using three independent sample applications, each built on a base image that is mirrored from an upstream registry into a controlled namespace before use:

App Language Build tool Folder
Python web app Python pip apps/python-app/
Node.js web app Node.js npm apps/nodejs-app/
Java web app Java Gradle apps/java-app/

Supporting capabilities already in place include:

  • Base image mirroring — GitHub Actions workflows that copy upstream images into a quarantine/ namespace in GHCR, refreshing only when the upstream digest changes. See the workflow naming conventions.

Planned supply chain building blocks — acquire, scan, patch, sign, and SBOM-generation — will be added as the demonstration grows.

What's coming next

This repository will grow beyond container apps to cover AI-related artifacts — models, datasets, and other ML supply chain components — and demonstrate how to secure them with the same supply chain principles: provenance, scanning, signing, SBOMs/AI-BOMs, and policy enforcement.

Relationship to the CSSC framework and Custos

  • The CSSC framework defines the stages and practices for securing a container supply chain. This repository provides concrete, runnable examples of those stages.
  • The Custos project is the broader effort this repository supports; the samples here demonstrate steps and artifacts from that work.

Repository layout

Path Purpose
apps/ Sample applications demonstrating the supply chain stages.
docs/ Detailed documentation, organized by topic.
.github/workflows/ Mirror and automation workflows.

Documentation

Detailed documentation lives in docs/, organized by topic:

Contributing

See MAINTAINERS and the contributing docs for conventions used in this repository.

License

Licensed under the Apache License 2.0.

About

Containers Secure Supply Chain Framework implementation

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages