CascadeGuard Open Secure Images

Production-hardened container base images with built-in vulnerability scanning, cryptographic signing, and SLA-driven CVE remediation.

Why CascadeGuard?

Most container security issues originate in the base image. Upstream images ship with unnecessary packages, default root users, embedded shells, and stale vulnerability databases. CascadeGuard images address this by applying a consistent hardening pipeline to every image we publish.

Security Properties

• Non-root by default — All images run as nonroot (UID 65532), matching the distroless convention.
• Minimal attack surface — Unnecessary packages, shells, documentation, and locale data are stripped at build time.
• Shell-restricted — Only /bin/sh is retained; bash, dash, zsh, and others are removed.
• SUID/SGID bits removed — No binaries retain elevated privilege bits.
• Cryptographically signed — Every image is signed with cosign keyless signing via Sigstore.
• SBOM attached — Every image carries an SPDX SBOM attestation generated by syft.
• Continuously scanned — A daily workflow scans all published images with Grype and Trivy, automatically opening issues for new CVEs.
• SLA-driven patching — Critical CVEs are patched within 24 hours; high within 48 hours.

Image Catalog

Quick Start

Pull an image

docker pull ghcr.io/cascadeguard/python:3.12-slim

Verify the signature

cosign verify \
  --certificate-identity-regexp "https://github.com/cascadeguard/open-secure-images/.*" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  ghcr.io/cascadeguard/python:3.12-slim

Use in a Dockerfile

FROM ghcr.io/cascadeguard/python:3.12-slim
 
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
 
COPY . .
CMD ["python", "app.py"]

Verify the SBOM attestation

cosign verify-attestation \
  --type spdxjson \
  --certificate-identity-regexp "https://github.com/cascadeguard/open-secure-images/.*" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  ghcr.io/cascadeguard/python:3.12-slim

Repository Structure

images/                     # One directory per image variant
  python/3.12/              #   Dockerfile + tests
  node/20/
  nginx/
  alpine/
  debian-slim/
shared/                     # Shared tooling across all images
  hardening/                #   Bash scripts for hardening
  scanning/                 #   Grype configuration
  signing/                  #   Cosign signing scripts
.github/workflows/          # CI/CD pipelines
  build-image.yaml          #   Build, scan, test, sign on push
  scheduled-scan.yaml       #   Daily CVE scan of published images
  release.yaml              #   Tagged release to GHCR + Docker Hub
policy/                     # Security policies
  cve-sla.yaml              #   Remediation SLA targets
  allowed-packages.yaml     #   Per-image package allowlists

How Hardening Works

Every image passes through three shared hardening scripts during the Docker build:

1. minimize-packages.sh — Removes build tools, documentation, man pages, locale data, and unnecessary system packages. Supports both APT (Debian) and APK (Alpine).

2. strip-shells.sh — Removes all shell binaries except /bin/sh. Cleans up profile files, completion directories, and updates /etc/shells.

3. set-nonroot.sh — Creates the nonroot user (UID 65532, GID 65532) with no login shell. Sets ownership of /app and /home/nonroot with restricted permissions. Locks the root account.

CI/CD Pipeline

On push to main

The build-image.yaml workflow detects which images changed, builds them, runs Grype scans and container-structure-tests, generates SBOMs, signs with cosign, and pushes to GHCR.

Daily scheduled scan

The scheduled-scan.yaml workflow pulls all published images, scans them with both Grype and Trivy, and automatically opens GitHub issues for any new critical or high CVEs.

On version tag

The release.yaml workflow builds all images for linux/amd64 and linux/arm64, pushes to both GHCR and Docker Hub, signs everything, attaches SBOM attestations, and creates a GitHub Release with release notes.

CVE Remediation SLA

See policy/cve-sla.yaml for SLA targets and CVE-STRATEGY.md for the full CVE detection, remediation, and upstream contribution strategy.

Contributing

By contributing to this project, you agree that your contributions will be licensed under the Business Source License 1.1.

1. Fork the repository.
2. Create a feature branch from main.
3. Make your changes. If modifying a Dockerfile, update the corresponding test/structure.yaml.
4. Run the structure tests locally:

   container-structure-test test \
     --image your-local-image:tag \
     --config images/<image>/test/structure.yaml

5. Open a pull request. The CI pipeline will automatically build, scan, and test your changes.

Adding a new image

1. Create a new directory under images/<name>/ with a Dockerfile and test/ directory.
2. Add structure.yaml and cve-policy.yaml in the test directory.
3. Add the image to the matrix in .github/workflows/scheduled-scan.yaml and .github/workflows/release.yaml.
4. Add an entry to policy/allowed-packages.yaml.

License

The source code in this repository is licensed under the Business Source License 1.1. The Additional Use Grant permits production use, provided such use does not include offering the Licensed Work to third parties as a commercial container image lifecycle management service or a managed image rebuild service. On the Change Date (2030-04-04), the license converts to Apache License 2.0.

Published container image artifacts on GHCR and Docker Hub are free to pull and use in your own applications. See IMAGE-TERMS.md for details on image artifact usage, including restrictions on redistribution and resale.