Chapter 4. Checklist

Gates & Ratcheting (policy-first)

  • Quarantine tag: New images are tagged quarantine-<sha> until they pass gates.
  • Pass criteria: No CRITICAL, and no HIGH with fixes in direct deps (tune per team).
  • Gate implementation: CI step sca-gate (Trivy JSON → pass/fail) wired after build/scan.
  • Promotion tag: On pass, retag to good-<tag> and/or :release-<semver>.
  • Ratcheting plan: 6-week path from WARN → ENFORCE documented (which checks flip each week).
  • Override path: Temporary risk acceptance file with owner + expiry required for bypass.

Golden Node Outcomes (simulated on Minikube)

  • Namespace PSS=Restricted enforced (e.g., make pss-enforce).
  • Pod hardening: drop caps, read-only FS, seccomp/apparmor profiles applied to sample app.
  • Runtime detection (optional): basic signals enabled; evidence captured in artifacts.
  • Verification: kubectl/audit evidence attached to the runbook.

Golden Container Images (digest-pinned, scanned, SBOM’d, signed)

  • Minimal runtime base (distroless/alpine), non-root USER, fixed UID/GID.
  • Digest pins: base and runtime pinned; pins recorded in repo.
  • Build base image via Make: base-build.
  • Scan: base-scan (Trivy) → artifacts/trivy-image-base.json.
  • SBOM: base-sbom (Syft) → artifacts/sbom-base.json.
  • Sign & verify: base-sign / base-verify (Cosign) → bundle + verify log.
  • (Admission) Enforce org-only image prefixes with Kyverno; tests included.

SBOM Diff & License Policy

  • SBOM produced for each build (make sbom) → artifacts/sbom.json.
  • Diff rule: Define when to run diff (every merge to main or at RC).
  • License allowlist: committed list (e.g., MIT/Apache-2.0/BSD/ISC/MPL-2.0); reviewers named.
  • License scan: make license-scanartifacts/license-scan.txt (flags UNKNOWN/DISALLOWED).
  • Ticketing: violations create issues with context (package, version, license, rationale).

Dependency Mirrors (local-first supply chain)

  • Mirror up: make dep-mirror-up (Go proxy + optional npm cache).
  • Route deps: set GOPROXY=http://localhost:8081,direct and/or .npmrc registry to mirror.
  • Build via mirror: make build succeeds with caching in place.
  • Evidence: health checks + config captured in artifacts and runbook.

Artifact Hygiene at Home

  • Tag schema: <semver>-<YYYYMMDD>-<shortsha> used consistently.
  • Repro build: pinned versions; immutable artifacts with checksums.
  • Registry choice: documented (Minikube image cache vs local registry) with pros/cons.
  • SBOM + signatures stored alongside artifacts; retention policy defined.

Promotion & Evidence

  • Promotion rule: “promote on pass” criteria captured (which gates must be green).
  • Bundle: evidence ZIP contains Trivy JSON, SBOM, license scan, Cosign bundle, logs.
  • Runbook: links to artifacts, rollback steps, smoke endpoints.
  • Audit trail: CI summary lists artifacts & commit; exceptions tracked with expiry.