Skip to content

Add container image scanning and supply chain security #233

New issue
New issue
Open
Open
Add container image scanning and supply chain security#233
Labels
area/securitySecurity-related issuesenhancementNew feature or requestpriority/mediumMedium priority
@Defilan

Description

@Defilan
Defilan
opened on Mar 16, 2026

Context

The CI pipeline currently has no SAST, container image scanning, or supply chain provenance. As the project grows (31 stars and climbing), this is increasingly expected by enterprise adopters and the K8s ecosystem.

Proposed Additions

Container Scanning

  • Add Trivy or Grype scan step to the release workflow for ghcr.io/defilantech/llmkube-controller images
  • Fail releases on critical/high CVEs

Dependency Scanning

  • Add govulncheck to the lint or test workflow
  • Complements Dependabot by catching Go-specific vulnerabilities

SLSA Provenance

  • Add SLSA provenance generation to GoReleaser output
  • Enables users to verify build provenance via cosign verify-attestation

Signed Images

  • Sign container images with cosign/sigstore
  • Publish signatures alongside images in GHCR

Priority

Medium — not blocking any current functionality but important for trust as adoption grows, especially in air-gapped/compliance environments where LLMKube is positioned.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/securitySecurity-related issuesenhancementNew feature or requestpriority/mediumMedium priority

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions