Security Overview
ARMORRED applies a defense-in-depth security model to container images, addressing threats at every layer from the build pipeline to runtime deployment. The security posture is built on four pillars: reproducible builds from source, comprehensive vulnerability management, cryptographic supply chain verification, and transparent hardening with full auditability.
Supply Chain Security
Software supply chain attacks exploit trust relationships between software producers and consumers. By compromising a build tool, dependency, or distribution channel, attackers can inject malicious code that propagates to every downstream consumer. High-profile incidents including SolarWinds, Codecov, and the xz backdoor demonstrate the severity and reach of these attacks.1
ARMORRED addresses supply chain risk through:
- Reproducible builds: Images are built from source using Nix, producing deterministic outputs that can be independently verified. The same source inputs always produce the same binary outputs.
- Minimal dependencies: Building
FROM scratcheliminates inherited trust from base image maintainers. Only explicitly declared dependencies enter the image. - Pinned inputs: Every dependency is referenced by cryptographic hash, preventing substitution attacks where a compromised registry serves modified packages.
- Build provenance: Build metadata documents the exact inputs, tools, and environment used to produce each image, aligned with SLSA Level 3 requirements.2
Image Signing
Every ARMORRED image is cryptographically signed using Sigstore cosign. The public key is published at https://armorred.org/cosign.pub. This provides:
| Property | Mechanism | Benefit |
|---|---|---|
| Authenticity | ECDSA signature (P-256) | Proves the image was signed by ARMORRED |
| Integrity | Cryptographic signature | Detects any tampering after publication |
| Verification | Published public key | Users verify using cosign.pub from the website |
Verify any ARMORRED image before deployment:
See the Image Verification guide for detailed instructions and policy enforcement.
Software Bill of Materials
ARMORRED delivers complete SBOMs (Software Bill of Materials) in CycloneDX 1.6 format with every image. Each image ships with two SBOMs:
- ARMORRED SBOM: Documents every component in the hardened image
- Upstream SBOM: Documents the original upstream image for comparison
This dual-SBOM approach enables:
- Rapid vulnerability assessment when new CVEs are published
- Audit of what changed during the hardening process
- License compliance verification across all components
- Regulatory compliance (Executive Order 14028, EU Cyber Resilience Act)
See Understanding SBOMs for format details, tooling, and practical usage.
Vulnerability Management
ARMORRED performs continuous vulnerability scanning using multiple databases:
| Source | Coverage |
|---|---|
| National Vulnerability Database (NVD) | Comprehensive CVE database maintained by NIST |
| GitHub Security Advisories | GitHub ecosystem vulnerabilities |
| OSV (Open Source Vulnerabilities) | Aggregated open source vulnerability data |
| Vendor security feeds | Software-specific security advisories |
Scanning Pipeline
Every image is scanned at build time and continuously rescanned against updated databases:
- Build-time scan: Grype analyzes the SBOM against all vulnerability databases
- Daily rescan: Published images are rescanned as new CVEs are disclosed
- Impact assessment: Determines if vulnerabilities are exploitable in the ARMORRED context
- Rebuild: If exploitable vulnerabilities are found, new images are published within 24 hours
Vulnerability Reduction
The combination of scratch-based builds and minimal dependency sets eliminates the vast majority of vulnerabilities present in upstream images. For nginx 1.26:
| Severity | Upstream | ARMORRED |
|---|---|---|
| Critical | 18 | 0 |
| High | 25 | 1 |
| Medium | 57 | 0 |
| Low | 11 | 0 |
| Total | 117 | 1 |
The 99.1% reduction comes from excluding components that nginx never uses but that Debian includes in its base image.
Two-Tier Security Model
ARMORRED offers two hardening tiers that address different compatibility and security requirements:
| Aspect | Hardened | Locked |
|---|---|---|
| Compatibility guarantee | Drop-in replacement for upstream | Not guaranteed 100% drop-in |
| Feature retention | All upstream features retained | Drops some rarely-used features |
| Build from scratch | Yes | Yes |
| Non-root | Yes (UID 65534) | Yes (UID 65534) |
| Signed | Yes (cosign) | Yes (cosign) |
| SBOM | Yes (CycloneDX) | Yes (CycloneDX) |
The specific hardening details (compilation flags, included modules, shell availability) vary per image and are documented on each image's analysis page under Images.
See Hardened vs Locked for detailed guidance on choosing a tier.
Reporting Security Issues
If you discover a security vulnerability in ARMORRED images or infrastructure, report it through GitHub Security Advisories on the ARMORRED GitHub organization. Do not open public issues for security vulnerabilities.
Reports should include:
- Affected image and version
- Description of the vulnerability
- Steps to reproduce
- Impact assessment
The ARMORRED team will acknowledge reports within 48 hours and provide a timeline for remediation.
References
CISA. "Defending Against Software Supply Chain Attacks." https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf
SLSA (Supply-chain Levels for Software Artifacts). "SLSA Specification v1.0." https://slsa.dev/spec/v1.0/