Context
The CI pipeline currently has no SAST, container image scanning, or supply chain provenance. As the project grows (31 stars and climbing), this is increasingly expected by enterprise adopters and the K8s ecosystem.
Proposed Additions
Container Scanning
- Add Trivy or Grype scan step to the release workflow for
ghcr.io/defilantech/llmkube-controller images
- Fail releases on critical/high CVEs
Dependency Scanning
- Add
govulncheck to the lint or test workflow
- Complements Dependabot by catching Go-specific vulnerabilities
SLSA Provenance
- Add SLSA provenance generation to GoReleaser output
- Enables users to verify build provenance via
cosign verify-attestation
Signed Images
- Sign container images with cosign/sigstore
- Publish signatures alongside images in GHCR
Priority
Medium — not blocking any current functionality but important for trust as adoption grows, especially in air-gapped/compliance environments where LLMKube is positioned.
Context
The CI pipeline currently has no SAST, container image scanning, or supply chain provenance. As the project grows (31 stars and climbing), this is increasingly expected by enterprise adopters and the K8s ecosystem.
Proposed Additions
Container Scanning
ghcr.io/defilantech/llmkube-controllerimagesDependency Scanning
govulncheckto the lint or test workflowSLSA Provenance
cosign verify-attestationSigned Images
Priority
Medium — not blocking any current functionality but important for trust as adoption grows, especially in air-gapped/compliance environments where LLMKube is positioned.