feat(security): container image signing reference architecture

[WilliamBerryiii]

Pull Request

Description

Introduces a complete container image signing reference architecture for the Physical AI Toolchain. Adds dual-mode signing (Sigstore keyless and Notation+AKV HSM), Kyverno admission policies for edge clusters, OpenVEX vulnerability suppression, supporting Terraform modules, and a verified-digest deployment flow.

Major additions:

• New Terraform modules: arc-runners, github-oidc, notation-akv, sigstore-mirror with full conditional wiring driven by a new signing_mode variable (sigstore | notation | none)
• New GitHub Actions reusable workflows: container-build-verify, container-publish (cosign keyless), container-publish-notation (AKV HSM), notation-key-rotate, lerobot-eval-image-publish; dataviewer-image-publish extended for dual-mode
• Edge admission policies: Kyverno HelmRelease + ClusterPolicies (sigstore + notation variants), per-cluster overlays (dev/staging → Sigstore, production → Notation), TUF trusted-root distribution + hourly refresh CronJob
• Security tooling: scripts/security/verify-image.sh, scan-image-vulns.sh, check-admission-readiness.sh, probe-admission.sh with full Pester coverage
• BREAKING: infrastructure/setup/02-deploy-dataviewer.sh and data-management/setup/deploy-dataviewer.sh no longer build images. Operators must supply pre-signed digests via --backend-digest / --frontend-digest and select --verify-mode. Verification is mandatory and abort-on-failure.
• ADRs (container-signing-public-rekor.md), runbook (notation-key-rotation.md), security guides (container-signing.md, rekor-disclosure.md)
• First OpenVEX document (security/vex/dataviewer-base.openvex.json) suppressing CVE-2023-45853 in dataviewer base images
• Interactive prompt configure-container-build.prompt.md for guided operator onboarding
• New commit scope (security) registered in copilot-instructions and commit-message instructions

Components beyond the template list — this PR also touches policies/kyverno/, scripts/security/, security/vex/, fleet-deployment/gitops/, data-management/, and .github/workflows/. See pr-reference-log.md for the full file-by-file synthesis.

Closes #

Type of Change

• 🐛 Bug fix (non-breaking change fixing an issue)
• ✨ New feature (non-breaking change adding functionality)
• 💥 Breaking change (fix or feature causing existing functionality to change)
• 📚 Documentation update
• 🏗️ Infrastructure change (Terraform/IaC)
• ♻️ Refactoring (no functional changes)

Component(s) Affected

• infrastructure/terraform/prerequisites/ - Azure subscription setup
• infrastructure/terraform/ - Terraform infrastructure
• infrastructure/setup/ - OSMO control plane / Helm
• workflows/ - Training and evaluation workflows
• training/ - Training pipelines and scripts
• docs/ - Documentation

Additional surfaces (not enumerated in the template):

• .github/workflows/ — new reusable signing workflows + actionlint config
• fleet-deployment/gitops/ — Kyverno admission, sources, per-cluster overlays
• policies/kyverno/tests/ — Kyverno CLI policy tests
• scripts/security/ + scripts/tests/security/ — verification tooling and Pester coverage
• security/vex/ — first OpenVEX document
• data-management/setup/ and data-management/viewer/ deploy script + README

Testing Performed

• Terraform plan reviewed (no unexpected changes)
• Terraform apply tested in dev environment
• Training scripts tested locally with Isaac Sim
• OSMO workflow submitted successfully
• Smoke tests passed (smoke_test_azure.py)

Additional verification:

• terraform test matrix in infrastructure/terraform/tests/signing-mode.tftest.hcl covers sigstore+mirror, sigstore+public, notation, none
• New module-level terraform test suites for arc-runners, github-oidc, notation-akv, sigstore-mirror (mock-provider plan-only)
• Kyverno CLI tests in policies/kyverno/tests/ (36 assertions: signed / unsigned / wrong-identity / missing-attestation / third-party)
• Pester suites for verify-image, scan-image-vulns, check-admission-readiness, deploy-dataviewer (in-process stub binaries; tmpdir sandbox)
• npm run lint:md and npm run spell-check passing on this branch

Out of scope for this PR (deferred to follow-up):

• End-to-end signed-image publish from CI in dev environment
• Live admission probe against a deployed Kyverno instance
• LeRobot eval image publish (blocked until evaluation/sil/Dockerfile lands — DD-04)

Documentation Impact

• No documentation changes needed
• Documentation updated in this PR
• Documentation issue filed

New/updated docs:

• docs/adrs/container-signing-public-rekor.md
• docs/runbooks/notation-key-rotation.md
• docs/security/container-signing.md
• docs/security/rekor-disclosure.md
• data-management/README.md — new "Build and Deploy Paths" section
• README.md — new "Verifying Container Images" section
• CONTRIBUTING.md — new "Container Image Signing" section
• security/vex/README.md — OpenVEX authoring workflow
• .github/prompts/configure-container-build.prompt.md — interactive onboarding prompt

Bug Fix Checklist

Not applicable — this is a feature + infrastructure PR.

Checklist

• My code follows the project conventions
• Commit messages follow conventional commit format
• I have performed a self-review
• Documentation impact assessed above
• No new linting warnings introduced

---

Reviewer attention:

1. Public Rekor disclosure — default signing_mode = "sigstore" writes signatures + workflow refs + image digests to a permanent public log. ADR documents rationale; consent gates exist on every operator surface, but please confirm acceptable for production posture.
2. Breaking deploy-script change — operators must migrate to digest-supplied flow. Migration path documented in data-management/README.md.
3. Kyverno admission upgrade window — verification is bypassed if Kyverno is offline. Coordinate with edge maintenance windows.
4. Hostname-based egress NetworkPolicy in arc-runners — requires CNI L7 (Cilium/Calico) for enforcement. Defaults to enabled.
5. Conditional assertions in infrastructure/terraform/main.tf — block "deploy when none" but do not enforce that ≥1 signing path is active. Intentional to allow staged rollout.

🔒 - Generated by Copilot

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 3 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 5473592.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

.github/workflows/container-vulnerability-scan.yml

Package	Version	License	Issue Type
Azure/login	532459ea530d8321f2fb9bb10d1e0bcf23869a43	Null	Unknown License
aquasecurity/trivy-action	ed142fd0673e97e23eac54620cfb913e5ce36c25	Null	Unknown License

.github/workflows/notation-key-rotate.yml

Package	Version	License	Issue Type
Azure/login	532459ea530d8321f2fb9bb10d1e0bcf23869a43	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
actions/Azure/login	532459ea530d8321f2fb9bb10d1e0bcf23869a43	🟢 6.2	Details Check Score Reason Maintained 🟢 4 3 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 4 Security-Policy 🟢 10 security policy file detected Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches SAST 🟢 7 SAST tool detected but not run on all commits
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 5.2	Details Check Score Reason Code-Review 🟢 5 Found 16/29 approved changesets -- score normalized to 5 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool detected but not run on all commits
actions/actions/upload-artifact	043fb46d1a93c77aae656e7c1c64a875d1fc6a0a	🟢 5.7	Details Check Score Reason Code-Review 🟢 7 Found 7/9 approved changesets -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 8 8 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits
actions/aquasecurity/trivy-action	ed142fd0673e97e23eac54620cfb913e5ce36c25	🟢 6.7	Details Check Score Reason Code-Review 🟢 9 Found 15/16 approved changesets -- score normalized to 9 Maintained 🟢 10 14 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 7 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/github/codeql-action/upload-sarif	95e58e9a2cdfd71adc6e0353d5c52f41a045d225	Unknown	Unknown
actions/Azure/login	532459ea530d8321f2fb9bb10d1e0bcf23869a43	🟢 6.2	Details Check Score Reason Maintained 🟢 4 3 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 4 Security-Policy 🟢 10 security policy file detected Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches SAST 🟢 7 SAST tool detected but not run on all commits
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 5.2	Details Check Score Reason Code-Review 🟢 5 Found 16/29 approved changesets -- score normalized to 5 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool detected but not run on all commits
actions/actions/github-script	ed597411d8f924073f98dfc5c65a23a2325f34cd	🟢 6.6	Details Check Score Reason Maintained 🟢 10 21 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 0 Found 1/13 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• .github/workflows/container-vulnerability-scan.yml
• .github/workflows/notation-key-rotate.yml

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.56%. Comparing base (3f1edd1) to head (5473592).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #592      +/-   ##
==========================================
+ Coverage   63.91%   66.56%   +2.65%     
==========================================
  Files         250      262      +12     
  Lines       15409    16639    +1230     
  Branches     2163     2301     +138     
==========================================
+ Hits         9848    11076    +1228     
  Misses       5274     5274              
- Partials      287      289       +2     

Flag	Coverage Δ		*Carryforward flag
pester	83.13% <ø> (ø)		Carriedforward from 3f1edd1
pytest-data-pipeline	100.00% <ø> (ø)		Carriedforward from 3f1edd1
pytest-dataviewer	65.12% <ø> (ø)		Carriedforward from 3f1edd1
pytest-dm-tools	100.00% <ø> (ø)		Carriedforward from 3f1edd1
pytest-evaluation	99.83% <ø> (?)
pytest-fuzz	4.97% <ø> (ø)		Carriedforward from 3f1edd1
pytest-inference	0.00% <ø> (ø)		Carriedforward from 3f1edd1
pytest-training	82.14% <ø> (ø)		Carriedforward from 3f1edd1
vitest	51.08% <ø> (ø)		Carriedforward from 3f1edd1

*This pull request uses carry forward flags. Click here to find out more.
see 12 files with indirect coverage changes

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[WilliamBerryiii]

Testing the Container Signing Reference Architecture

End-to-end test guide for PR #592. Tests are layered from fastest (no infra) to slowest (live Azure + cluster). Run layers 1-3 locally before opening any cluster work; run layers 4-8 against a non-production subscription.

Prerequisites

Tool	Version	Purpose
terraform	>= 1.9.8, < 2.0	Module + integration tests
pwsh + Pester	7.x + 5.x	Security script unit tests
kyverno CLI	>= 1.12	Policy validation tests
cosign	>= 2.2	Sigstore verification
notation + notation-azure-kv plugin	>= 1.1 / >= 1.1	Notation verification
kubectl, helm	current	Cluster-side checks
az CLI	>= 2.60	AKV + ACR access
gh CLI	>= 2.40	Trigger workflows, fetch attestations
trivy, syft, vexctl	current	Local SBOM/scan/VEX validation
shellcheck	>= 0.9	Script linting

Azure prerequisites: an AKV with RBAC, an ACR (Premium SKU if testing Notation in-registry signatures), a federated GitHub OIDC credential bound to this fork's branches.

# One-time auth
az login
az acr login --name <youracr>
gh auth login

---

Layer 1 — Terraform tests (no Azure required)

All *.tftest.hcl files use mock_provider + command = plan. No credentials, no state mutation.

# Root integration + signing-mode matrix
cd infrastructure/terraform
terraform init -backend=false
terraform test

# Per-module conditionals
for m in arc-runners github-oidc notation-akv sigstore-mirror; do
  pushd "modules/$m" >/dev/null
  terraform init -backend=false
  terraform test
  popd >/dev/null
done

Expected coverage:

• infrastructure/terraform/tests/integration.tftest.hcl — full graph plans cleanly with signing_mode toggled across sigstore, notation, none.
• infrastructure/terraform/tests/signing-mode.tftest.hcl — asserts the correct child modules instantiate per mode (e.g. notation-akv only when signing_mode = "notation").
• infrastructure/terraform/tests/outputs.tftest.hcl — verifies signing-related outputs are populated/empty correctly.
• Per-module tests/conditionals.tftest.hcl — exercise each should_* flag and resource-count expectations.

Pass criteria: every run block reports pass. Failures block the PR via terraform-tests.yml.

Layer 2 — Kyverno policy tests (no cluster required)

kyverno test policies/kyverno/tests/

Validates policies/kyverno/tests/kyverno-test.yaml against rendered policy fixtures and resource samples. Both Sigstore and Notation policies must report Pass for the allowed-image fixtures and Fail for the deny fixtures.

Layer 3 — Pester tests for security scripts

pwsh -c "Invoke-Pester scripts/tests/security -Output Detailed"

Covers:

• scripts/tests/security/Verify-Image.Tests.ps1 — verification matrix for scripts/security/verify-image.sh (sigstore vs notation, missing attestations, digest mismatch).
• scripts/tests/security/Scan-ImageVulns.Tests.ps1 — Trivy invocation + VEX suppression for scripts/security/scan-image-vulns.sh.
• scripts/tests/security/Check-AdmissionReadiness.Tests.ps1 — gating logic in scripts/security/check-admission-readiness.sh.

Run shellcheck alongside:

shellcheck scripts/security/*.sh

---

Layer 4 — End-to-end signing (Sigstore mode)

Trigger the publish workflow on a throwaway tag/branch:

gh workflow run container-build-verify.yml --ref <branch>
gh workflow run container-publish.yml --ref <branch> -f image=dataviewer

After completion, resolve the immutable digest and verify:

IMAGE=<youracr>.azurecr.io/dataviewer
DIGEST=$(az acr repository show-manifests --name <youracr> --repository dataviewer \
  --orderby time_desc --top 1 --query '[0].digest' -o tsv)

cosign verify "$IMAGE@$DIGEST" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity-regexp "^https://github.com/microsoft/physical-ai-toolchain/.*"

for t in spdxjson slsaprovenance cyclonedx openvex; do
  cosign verify-attestation --type "$t" "$IMAGE@$DIGEST" \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-identity-regexp "^https://github.com/microsoft/physical-ai-toolchain/.*" \
    >/dev/null && echo "OK: $t"
done

All four attestations must verify. If should_use_public_rekor = false, point cosign at the in-cluster mirror via COSIGN_REKOR_URL.

Layer 5 — End-to-end signing (Notation mode)

Apply the Notation infrastructure variant:

cd infrastructure/terraform
terraform apply -var='signing_mode=notation' -var='should_enable_premium_acr=true'

Trigger the Notation publisher and verify:

gh workflow run container-publish-notation.yml --ref <branch> -f image=dataviewer

# Trust policy comes from the notation-akv module outputs
notation policy import "$(terraform output -raw notation_trust_policy_path)"
notation verify "$IMAGE@$DIGEST"

Layer 6 — Admission enforcement

With Flux applied to a target cluster:

./scripts/security/check-admission-readiness.sh

Then exercise the policy:

# Should ADMIT (signed image)
kubectl run signed --image="$IMAGE@$DIGEST" --restart=Never --rm -it -- /bin/true

# Should REJECT (unsigned upstream)
kubectl run unsigned --image=nginx:latest --restart=Never --rm -it -- /bin/true
# Expect: admission webhook "validate.kyverno.svc-fail" denied the request

Confirm both Kyverno policies attached:

kubectl get cpol kyverno-sigstore-policy kyverno-notation-policy -o jsonpath='{.items[*].status.ready}'

Layer 7 — Vulnerability scan + VEX

./scripts/security/scan-image-vulns.sh "$IMAGE@$DIGEST"

Confirm CVEs listed in security/vex/dataviewer-base.openvex.json appear under the suppressed/not_affected section, not in the failing set. Re-run container-vulnerability-scan.yml to validate the same behavior in CI.

Layer 8 — Notation key rotation drill

gh workflow run notation-key-rotate.yml --ref main

Verification checklist:

1. New key version visible in AKV: az keyvault key list-versions --vault-name <vault> --name <key>.
2. Updated notation_trust_policy output reflects the new key identifier (re-run terraform plan).
3. The Flux-managed trusted-root-refresh CronJob runs to completion on the next schedule (or trigger manually with kubectl create job --from=cronjob/trusted-root-refresh refresh-now).
4. Re-publish an image with the new key and re-run Layer 5 verification.

Refer to docs/runbooks/notation-key-rotation.md for rollback steps.

---

Cleanup

# Remove test images
az acr repository delete --name <youracr> --repository dataviewer --yes

# Tear down infra (per-environment)
cd infrastructure/terraform
terraform destroy -var='signing_mode=notation'

Troubleshooting

Symptom	First check
terraform test fails on mock_provider block	terraform version >= 1.9.8
cosign verify returns no matching signatures	You verified by tag — re-resolve @sha256: digest
notation verify fails trust policy not found	Re-import the policy from terraform output -raw notation_trust_policy_path
Kyverno admits an unsigned image	Confirm the policy is Enforce, not Audit, in the cluster overlay
Trivy CVE not suppressed	VEX statement must reference the exact image purl + CVE id

See the broader troubleshooting matrix in docs/security/container-signing.md.