SecureBuild
DocsHow It Works
Docs/How It Works

How SecureBuild Works

SecureBuild uses a unique approach to container security: patch detection, automatic rebuilding, and cryptographic verification. Here's how it all comes together.

Detect
Release tags and package version tracking
Rebuild
Compile from verified source code
Deliver
Push secure image with attestations

1. Patch Detection

SecureBuild detects when upstream projects release new versions (including security patches) through:

  • Release tag monitoring on GitHub/GitLab
  • Package version tracking in registries

2. Secure Rebuilding

This is where SecureBuild differs from traditional scanners. Instead of just reporting vulnerabilities, we build new images:

Source Verification

All source code is fetched from official repositories with cryptographic verification:

  • SHA256 checksum validation

Trusted Build Environment

Builds run on isolated, ephemeral infrastructure:

  • Fresh VM for each build (no persistent state)
  • Minimal base environment

SLSA Compliance

SecureBuild generates SLSA Level 3 compliant provenance:

  • Cryptographically signed build attestations
  • Complete build logs and environment details
  • Source-to-artifact mapping

3. Secure Delivery

Once built, images are delivered with full supply chain metadata:

SBOM Generation

Every image includes a Software Bill of Materials in both SPDX and CycloneDX formats, documenting:

  • All packages and versions
  • License information
  • Dependency relationships
  • Runtime dependencies

Image Signing

Images are signed using Sigstore/Cosign, allowing you to verify authenticity:

cosign verify --key securebuild.pub my-secure-postgres

APK repository and image registry

APK repository — Built packages (APKs produced by Melange) are published to an APK repository that is configured for your deployment. That repository is used when building images that depend on those packages (e.g. as a content-addressed source). The repository URL and public signing key are configured per environment.

Image registry — Built images are pushed to an OCI registry configured for your deployment. Users pull images from that registry—or from an OCI proxy in front of it—and verify them with Cosign as above. The registry host and repository path are configured per environment.

IntroductionSupply Chain Security

Command Palette

Search for a command to run...