Security Model
CascadeGuard is built with a security-first design. Every image it manages is automatically scanned, attested, and signed as part of the standard pipeline.
What CascadeGuard secures
Vulnerability scanning
Every image build triggers dual-scanner analysis:
- Grype — Anchore’s vulnerability scanner, optimised for container images. Detects CVEs across OS packages and language ecosystems.
- Trivy — Aqua Security’s scanner. Cross-validates Grype findings and detects misconfigurations.
Running both scanners in parallel reduces false negatives and gives a higher-confidence CVE posture for each image.
The nightly scheduled-scan.yaml workflow re-scans every published image against the latest vulnerability databases — without rebuilding — and opens a GitHub Issue for any newly disclosed CVEs.
Software Bill of Materials (SBOM)
CascadeGuard generates an SBOM for every image using Syft. The SBOM is:
- Attached as a build artifact
- Attested and signed alongside the image using Cosign (see below)
SBOMs let you audit exactly what packages and versions are inside each image, which is essential for responding quickly to newly disclosed vulnerabilities.
Image signing
All images published by CascadeGuard are signed using Cosign with keyless signing via Sigstore. The signature is stored in the OCI registry alongside the image.
To verify a CascadeGuard-published image:
cosign verify \
--certificate-identity-regexp="https://github.com/cascadeguard/" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
ghcr.io/cascadeguard/nginx:stable-alpine-slimA valid signature proves the image was built by CascadeGuard CI and has not been tampered with since publication.
Supply chain security
Pinned GitHub Actions
CascadeGuard provides an actions pin command that rewrites all GitHub Actions uses: references from floating tags (e.g. actions/checkout@v4) to full commit SHAs (e.g. actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683). This prevents supply chain attacks where a compromised tag could inject malicious code.
cascadeguard actions pinUse --dry-run to preview changes before writing them, and --refresh to re-pin SHAs when new versions are released.
Actions policy enforcement
The actions audit command validates your workflow files against a declarative policy:
cascadeguard actions policy init # Scaffold a starter policy
cascadeguard actions audit # Audit all workflow filesThe policy file (.cascadeguard/actions-policy.yaml) lets you define:
- Allowed action registries
- Required pinning (SHA vs. tag)
- Blocked actions
This is particularly useful for enforcing supply-chain standards across multiple repositories.
Runtime security practices
| Practice | Detail |
|---|---|
| Minimal base images | CascadeGuard’s exemplar images use Alpine and distroless bases to reduce attack surface. |
| Non-root users | Published images run as non-root by default. |
| Read-only filesystems | Recommended in deployment manifests where possible. |
| Dependency updates | Base images are monitored for updates; rebuilds are triggered automatically when upstream changes. |
Responsible disclosure
Security vulnerabilities in CascadeGuard itself should be reported via private vulnerability reporting. Do not open public issues for security vulnerabilities.
See SECURITY.md for the full disclosure policy and response timeline.