Skip to main content

Hanami Compliance & Supply‑Chain Assurance Notes

1 · Container base image

ComponentPin
Base imagecgr.dev/chainguard/jre@sha256:a834e5dba7010b1889a14c1e32cbbbbb807ffcdbd21c5f157cce290ed0a09313

The Chainguard JRE image is a minimal, Wolfi‑based OpenJDK runtime that ships with:

  • Zero‑CVE rebuilds and automatic back‑ports
  • Verifiable Sigstore signatures on every build
  • SBOM & SLSA provenance attestations for reproducible builds

2 · Signature and provenance verification

During the Hanami release workflow the JRE image digest and its provenance attestation are verified locally with Sigstore Cosign:

  • cosign verify – validates the image signature
  • cosign verify-attestation – validates the SLSA provenance (in‑toto envelope)

Artifacts shipped in every release ZIP:

<package>.zip
├── ep-hanami-<version>.tar
├── chainguard-jre-image-verification.json     ← cosign verify (JSON)
├── chainguard-jre-image-verification.txt      ← cosign verify (human readable)
├── chainguard-attestation.json                ← raw in‑toto SLSA attestation
├── chainguard-attestation-verification.json   ← cosign verify‑attestation (JSON)
└── chainguard-attestation-verification.txt    ← cosign verify‑attestation (human readable)

Chainguard’s step‑by‑step guide for both commands is available here: https://images.chainguard.dev/directory/image/jre/provenance

3 · Dependency vulnerability scanning

All Hanami application layers (first‑party code plus bundled third‑party JARs) are scanned with Trivy (https://trivy.dev/) in “image + filesystem” mode immediately after the Docker image is built.

Artifacts included in every release ZIP:

FilePurpose
trivy-scan.jsonRaw JSON results (all findings, CVSS data, remediation hints)
trivy-scan.tableHuman‑readable table derived from the JSON report

4 · Build metadata & auxiliary files

File / FolderPurpose
ep-hanami-<version>-metadata.xmlMaven metadata captured at publish time (useful for consumers mirroring a repository)
ext/Runtime extensions bundled with the release