Supply Chain Security & FedRAMP Compliance

• Eliminated the TOCTOU vulnerability window using a local OCI registry pattern, so no unverified image ever reaches production-accessible storage
• Built a single 785-line reusable GitHub Actions composite action consumed by every repository in the organization with zero per-team configuration
• Achieved FIPS 140-3 validated cryptography across all 40+ container base images with weekly CMVP certificate monitoring
• Dual vulnerability scanning (Trivy + Grype) plus CIS benchmark enforcement as hard gates before any image is published
• Keyless signing via Fulcio OIDC with SLSA Level 2+ provenance eliminates long-lived signing key management entirely

The Challenge

FedRAMP Moderate authorization requires proving complete supply chain integrity for every container image in production. That means FIPS 140-3 validated cryptography, provenance attestation for every build artifact, zero tolerance for known vulnerabilities, and audit evidence that the image scanned is byte-identical to the image deployed. The platform I manage runs 40+ containers, so this couldn't be a manual process. It had to be automated, consistent, and impossible to skip.

Approach & Role

I designed and implemented the entire supply chain security framework. From base image selection through attestation verification, it's all in a single reusable GitHub Actions composite action (785 lines) that every repository in the organization consumes. No per-team configuration needed. Every container meets the same compliance bar.

The core problem I solved is a TOCTOU (time-of-check-to-time-of-use) gap. Most container pipelines scan images after pushing to a remote registry. Between push and scan, an unverified image exists in production-accessible storage. I eliminated that gap with a local OCI registry pattern: images are built, scanned, and attested locally before being published. The scanned image is cryptographically guaranteed to be the published image.

Architecture & Patterns

The local OCI registry pattern (TOCTOU elimination):

The fundamental security problem with most container pipelines: you push an image to a remote registry, then scan it after publication. Between push and scan, an unverified image sits in production-accessible storage. Worse, if you scan and then push separately, the image bytes might differ due to layer cache invalidation, concurrent builds, or registry-side rewriting.

I solve this by spinning up a local OCI-compliant registry within the CI runner itself. The build pipeline pushes to localhost:5000, runs all verification gates against that local image, and only copies the verified bytes to the production registry via crane copy. The SHA256 digest is tracked end-to-end. The scanned image is bit-identical to the signed image is bit-identical to the deployed image. No TOCTOU window exists.

This is implemented as a single 785-line GitHub Actions composite action that any repository can consume with zero per-team configuration.

Build pipeline (single composite action):

1. Start local OCI registry (localhost:5000)
2. Build container image, push to local registry
3. Generate SBOM (CycloneDX + SPDX via syft) against local image
4. Dual vulnerability scan (Trivy + Grype) against local image, defense in depth
5. CIS Docker Benchmark compliance check (hard gate, exits code 1 on failure)
6. Secrets scan (prevent credential leakage)
7. Copy verified image to GHCR via crane copy (preserving digest)
8. Keyless cosign signing via Fulcio OIDC (signs the exact digest from step 7)
9. Four attestation types attached to the signed digest: SBOM, vulnerability report, SLSA provenance, build log

FIPS compliance:

• Chainguard FIPS-validated base images for all runtime languages (Node.js, Python, Go, Kong, Keycloak, nginx)
• Failback Azure Linux based distroless containers with FIPS 140-3 CMVP validated OpenSSL if Chainguard is removed from the architecture
• BouncyCastle FIPS providers for Java workloads
• FIPS OpenSSL scratch images for minimal-surface Go services
• Attestation verification gates, builds refuse to proceed if upstream image attestations are invalid

CI/CD security hardening:

• All action references SHA-pinned (not tag-based), prevents supply chain attacks via compromised action tags
• Zizmor linting for GitHub Actions template injection prevention
• Environment variable indirection pattern to prevent expression injection (GitHub expression syntax never used directly in run: blocks)
• Least-privilege permissions (permissions: {} + explicit per-job grants)
• Weekly CMVP certificate monitoring for FIPS validation status
• Composite action accepts minimal inputs, derives everything else, reduces misconfiguration surface

Reusable action design

• I test the composite action in isolation using a dedicated repository with matrix builds across all supported base image types
• Matrix covers: Node.js FIPS, Python FIPS, Go scratch, Kong, Keycloak, nginx. This ensures the pipeline handles multi-stage builds, distroless images, and JVM-based builds
• Integration tests validate the full attestation chain: build, scan, sign, verify, pull, attest
• Tests run against both linux/amd64 and linux/arm64 to catch platform-specific image layer issues

Impact & Scale

• Every container in the fleet (40+ containers) passes through the same supply chain pipeline
• Dual scanning catches vulnerabilities that either scanner alone would miss
• CIS benchmark enforcement prevents non-compliant images from ever reaching a registry
• SLSA Level 2+ provenance for complete build chain auditability
• Zero long-lived signing keys, cosign keyless via Fulcio OIDC eliminates key management entirely
• FedRAMP-ready evidence package generated automatically with every build