CascadeGuard — MVP Technical Approach
MVP: Public Secure Images
The first product is a small set of public, hardened container base images maintained by CascadeGuard. Continuously scanned, automatically rebuilt on vulnerability detection, published with full transparency.
This is not a multi-tenant SaaS or subscription product yet. It demonstrates our capability, builds trust, and establishes the platform infrastructure we’ll later open to users.
See mvp-secure-images.md for the full technical approach, data model, API design, and implementation plan.
Finalized Decisions
| Decision | Choice | ADR |
|---|---|---|
| Hosting + API | Cloudflare Workers (Python), Pages, R2, Turso, KV | ADR-001 |
| Auth | Clerk (deferred — not needed for MVP public dashboard) | ADR-002 |
| Scanning | Grype + Trivy in GitHub Actions (our repos) | — |
| SBOM | Syft in GitHub Actions | — |
| Image registry | GHCR (free for public images) | — |
What we build (MVP)
- Hardened base images — Dockerfiles for Node, Python, Go, Nginx (small set)
- CI pipelines — GitHub Actions workflows: scan, SBOM, rebuild
- API — Python on Cloudflare Workers: ingest scan results, track vulnerabilities, trigger rebuilds
- Public dashboard — React on Cloudflare Pages: image catalog, CVE detail, SBOM viewer, status badges
- SLA engine — auto-rebuild when critical/high CVEs exceed thresholds
What we defer
- User sign-up and enrollment (multi-tenant SaaS)
- Billing / subscriptions (Stripe)
- GitLab/Bitbucket CI support
- Clerk auth integration (no login needed for public dashboard)
- Kargo/ArgoCD/Flux webhook integrations
Future path: Open-source → SaaS
Once the public images MVP proves the platform works end-to-end, we extend it:
- Add Clerk auth → users can sign up
- Add image enrollment → users monitor their own images
- Add billing → paid tiers for more images and features
- Add GitLab/Bitbucket CI templates
The platform infrastructure (API, DB, dashboard) built for the MVP carries forward directly.