History

hatiyildiz a52bda30cb docs(pass-9b): retry banners on harbor / falco / sigstore / syft-grype Pass 9's commit `ea81c38` only landed banners on grafana + kyverno — the harbor / falco / sigstore / syft-grype edits failed because the Edit tool requires a Read pass per file before write. Now Read'd and applied: - harbor: per-host-cluster registry, pointer to PLATFORM-TECH-STACK §3.5. - falco: per-host-cluster runtime security, pointer to §3.3 + SRE §10 (SIEM/SOAR pipeline). - sigstore: cosign signing chain on every Blueprint OCI artifact, Kyverno admission verifies signatures. - syft-grype: CI-side SBOM + runtime CVE matching. Pass 9 now complete. Refs #37	2026-04-27 21:41:22 +02:00
..
README.md	docs(pass-9b): retry banners on harbor / falco / sigstore / syft-grype	2026-04-27 21:41:22 +02:00

hatiyildiz a52bda30cb docs(pass-9b): retry banners on harbor / falco / sigstore / syft-grype

Pass 9's commit ea81c38 only landed banners on grafana + kyverno —
the harbor / falco / sigstore / syft-grype edits failed because the
Edit tool requires a Read pass per file before write. Now Read'd
and applied:

- harbor: per-host-cluster registry, pointer to PLATFORM-TECH-STACK §3.5.
- falco: per-host-cluster runtime security, pointer to §3.3 + SRE §10
  (SIEM/SOAR pipeline).
- sigstore: cosign signing chain on every Blueprint OCI artifact,
  Kyverno admission verifies signatures.
- syft-grype: CI-side SBOM + runtime CVE matching.

Pass 9 now complete.

Refs #37

2026-04-27 21:41:22 +02:00

README.md docs(pass-9b): retry banners on harbor / falco / sigstore / syft-grype 2026-04-27 21:41:22 +02:00

README.md

Syft + Grype

SBOM generation and vulnerability matching for supply chain security. Per-host-cluster infrastructure (see docs/PLATFORM-TECH-STACK.md §3.3). Catalyst's CI runs Syft on every Blueprint to publish an SBOM alongside the OCI artifact; Grype scans for known CVEs in the published SBOM and at runtime.

Category: Supply Chain Security | Type: Mandatory per host cluster

Overview

Syft generates Software Bill of Materials (SBOM) for container images, and Grype matches SBOMs against vulnerability databases. Together they provide continuous supply chain visibility required by EU CRA and banking regulators.

Key Features

SBOM generation in CycloneDX and SPDX formats
Vulnerability matching against NVD, GitHub Advisory, OSV databases
CI/CD integration via Gitea Actions
Runtime scanning via Harbor integration

Integration

Component	Integration
Harbor	Stores SBOMs as OCI artifacts
Sigstore/Cosign	Attaches SBOM attestations to signed images
Trivy	Complementary scanning (Trivy for runtime, Grype for CI)
Gitea Actions	SBOM generation in build pipeline

Deployment

apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: syft-grype
  namespace: flux-system
spec:
  interval: 10m
  path: ./platform/syft-grype
  prune: true

Part of OpenOva