Skip to content

chainguard-dev/auto-deploy-demo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

61 Commits
.chainguard
.chainguard
 
 
.github
.github
 
 
helm/redis
helm/redis
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
grype-results.sarif
grype-results.sarif
 
 

Repository files navigation

Auto Update a Helm Deployment

  • Monitor for new Chainguard Images in your dedicated registry
  • Verify integrity of the image by validating the digital signature with cosign
  • Use chainctl image diff to determine if the new image remediates a Critical or High CVE
  • Scan the image with grype
  • Create a PR that:
    • Updates Helm with new image
    • Lists the CVEs that will be remediated with the change
    • Attaches the scan result
    • Uses Chainguard Unique Tags for consistency and atomic rollbacks
  • Deploy to a Kubernetes Cluster once PR is merged
  • Adheres to security least privilege by using short-lived ephemeral tokens to:
    • Authenticate to the Chainguard Registry using an assumed identity (using the ambient creds of each workflow invocation)
    • Authenticate to GitHub (using octo-sts in place of a long-lived PAT)
    • Signs commits using Sigstore/gitsign

Usage

  • Run the scan workflow will populate the scan data for the very old redis-server-bitnami image: image
  • Run the updates workflow to generate a PR with the fixes and scan results: image
  • Merge
  • Profit image

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published