Feature: Container Image Security (Signing, SBOM, Attestation, Scanning) #105
Description
Feature Design Request
Parent Issue: #93
Base Branch: simple-forge/issue-93-feature-request-container-imag-ta061x
Problem
Organizations need software supply chain security capabilities to meet NIST SP 800-218, SLSA, and Executive Order 14028 compliance requirements. Currently, Simple Container lacks native support for image signing, SBOM generation, provenance attestation, and vulnerability scanning, forcing users to maintain complex custom scripts (e.g., 2,400-line bash scripts).
Scope
IN SCOPE: (1) Cosign integration for keyless and key-based image signing, (2) Syft integration for SBOM generation in CycloneDX/SPDX formats, (3) SLSA v1.0 provenance attestation, (4) Vulnerability scanning with Grype and Trivy, (5) YAML-based security configuration, (6) CLI commands for manual operations, (7) Integrated release workflow combining all features. OUT OF SCOPE: Custom signing providers beyond Cosign, SBOM vulnerability remediation workflows, policy enforcement engines, real-time monitoring dashboards, non-container artifact signing.
Acceptance Criteria
- Images are signed automatically after build with keyless OIDC or key-based signing
- Keyless signing works in GitHub Actions with automatic OIDC token detection
- SBOM is generated for every image in CycloneDX or SPDX format
- SBOM is attached as signed in-toto attestation to container registry
- SLSA v1.0 provenance is generated and attached as signed attestation
- Builder ID is auto-detected from CI environment (GitHub Actions, GitLab CI)
- Images are scanned with Grype and Trivy for vulnerabilities
- Deployment fails when critical vulnerabilities found (if configured with failOn: critical)
- All security features are opt-in (disabled by default) for backward compatibility
- Security operations fail-open by default (warnings, not errors) to avoid breaking workflows
- Single 'sc release create' command executes full workflow: build → scan → sign → SBOM → provenance
- Performance overhead is less than 10% when all features enabled
- CLI commands work: sc image sign, sc image verify, sc sbom generate, sc image scan
- Configuration schema extends existing StackConfigSingleImage with SecurityDescriptor
- All features work with major registries: AWS ECR, GCR, Docker Hub, Harbor
- Test coverage is 90%+ for pkg/security/ package
- Documentation is complete with examples, troubleshooting, and compliance mapping
Documentation
docs/product-manager/container-security/README.mddocs/product-manager/container-security/requirements.mddocs/product-manager/container-security/acceptance-criteria.mddocs/product-manager/container-security/task-breakdown.md
Notes
Documentation includes 2,376 lines covering: executive summary, full requirements with 5 functional requirements (FR-1 through FR-5), non-functional requirements, compliance mapping to NIST SP 800-218 and SLSA, 60+ detailed test cases, implementation task breakdown across 5 phases with effort estimates (7-10 engineer-weeks total), architecture design principles, and handoff guidance for Architect role.
Dependencies
- External: Cosign v3.0.2+ for image signing
- External: Syft v1.41.0+ for SBOM generation
- External: Grype v0.106.0+ for vulnerability scanning
- External: Trivy v0.68.2+ for secondary scanning (optional)
- Internal: Existing BuildAndPushImage() in pkg/clouds/pulumi/docker/build_and_push.go
- Internal: Existing secrets management system for storing signing keys
- Internal: Existing logger package for operation logging
- CI/CD: GitHub Actions id-token: write permission for OIDC keyless signing
- Registry: OCI artifact support for attestation storage
Priority: high
This issue was automatically created by the Multi-Role Orchestration system.