This document outlines the security policies, including how to report vulnerabilities, verify artifact integrity, and understand the security measures in place.

To ensure the integrity of our software, we provide a verifiable provenance for our Docker images. You can find all provenance attestations here.

Our wolfi-based container images are built using GitHub Actions and follow best practices for supply chain security with a declarative approach leveraging apko.

• Base Image: wolfi-base
• Build System: GitHub Actions (workflow: release.yml)
• Declarative Build Spec: apko.yaml defines the image composition