Container Security Compliance
Every Docker image build is automatically scanned for vulnerabilities, validated against CIS benchmarks, and cryptographically signed before publication. No image reaches your servers without passing.
Automated Security Pipeline
Runs on every commit. Failures block image publication.
Trivy Vulnerability Scan
Every build is scanned against the National Vulnerability Database (NVD) for known CVEs in OS packages and Python dependencies.
Blocks deployment on unfixed CRITICAL vulnerabilities. HIGH and below are tracked and patched on a regular cadence.
Dockle CIS Benchmark
Validates container configuration against the Center for Internet Security (CIS) Docker Benchmark — the industry standard for container hardening.
Checks non-root user, HEALTHCHECK, no embedded credentials, secure file permissions, and more.
SBOM Generation
A complete Software Bill of Materials is generated in both SPDX and CycloneDX formats for every release, listing every package and version in the image.
Available as downloadable artifacts from each build. Meets Executive Order 14028 requirements for software supply chain transparency.
Cosign Image Signing
Every published image is cryptographically signed using Sigstore/Cosign keyless signing, providing tamper-evident verification of image authenticity.
Verify with: cosign verify --certificate-identity-regexp=github bwages/caso-comply-agent:latest
Container Hardening Checklist
Aligned with CIS Docker Benchmark, NIST 800-190, and DISA STIG guidelines.
| Security Control | Standard | Status |
|---|---|---|
| Non-root container user | CIS-DI-0001 | |
| HEALTHCHECK instruction defined | CIS-DI-0006 | |
| Base image pinned to SHA256 digest | Supply Chain | |
| All dependencies pinned to exact versions | Supply Chain | |
| Read-only root filesystem | CIS / NIST 800-190 | |
| All Linux capabilities dropped | CIS / NIST 800-190 | |
| No-new-privileges security option | CIS / NIST 800-190 | |
| Memory and PID limits enforced | CIS / NIST 800-190 | |
| CORS restricted to localhost | OWASP | |
| Rate-limited authentication | OWASP / NIST 800-53 | |
| No AGPL or copyleft dependencies | License Compliance | |
| OS security patches applied at build | DISA STIG | |
| Log rotation configured | CIS / Operations | |
| Optional TLS/HTTPS for local dashboard | NIST 800-53 |
Standards & Frameworks
Our container security controls are aligned with the following government and industry standards.
CIS Docker Benchmark
Center for Internet Security configuration standard for Docker containers. Scanned automatically via Dockle on every build.
NIST SP 800-190
Application Container Security Guide. Our hardening controls follow NIST recommendations for image integrity, runtime protection, and host OS security.
NIST SP 800-53
Security and Privacy Controls. Container security maps to AC, AU, CM, IA, SC, and SI control families.
DISA STIG
Defense Information Systems Agency Security Technical Implementation Guide. OS-level hardening, non-root execution, and minimal attack surface.
Executive Order 14028
Improving the Nation's Cybersecurity. SBOM generation in SPDX and CycloneDX formats meets EO 14028 software supply chain requirements.
Sigstore / Cosign
Cryptographic image signing provides tamper-evident verification. Part of the Linux Foundation's supply chain security initiative.
Verify It Yourself
Don't take our word for it. Run these commands against our published image.
Trivy CVE Scan
docker run --rm aquasec/trivy image bwages/caso-comply-agent:latestDockle CIS Benchmark
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock
goodwithtech/dockle bwages/caso-comply-agent:latestGrype Vulnerability Scan
docker run --rm anchore/grype bwages/caso-comply-agent:latestVerify Image Signature
cosign verify --certificate-identity-regexp=github
bwages/caso-comply-agent:latestNeed scan reports for procurement?
We provide Trivy reports, SBOM documents, and Cosign verification attestations on request. Available for every published image version.