# FLAMED Image Compliance Audit (Redacted Sample)

Date: 2026-04-09

## Executive Summary
- Assessed: 3 container images (redacted)
- Outcome: 2 FAIL, 1 PASS
- Primary blockers: non-validated crypto module, FIPS mode not enforced, missing SBOM referrer, unsigned artifacts

## Findings (Examples)
1. FIPS module not CMVP validated
Severity: High
Evidence: `openssl version -a` output indicates non-validated build lineage.
Remediation: Rebuild against validated module and pin versions; remove fallback paths.

1. Unsigned image artifact
Severity: Medium
Evidence: `cosign verify` failed with no signature found.
Remediation: Sign images at build and enforce admission policy.

## Evidence Delivered
- SBOM (CycloneDX) attached to OCI referrers
- Cosign verification command and signature bundle
- Provenance attestation (SLSA provenance)

## Notes
This sample is illustrative and redacted. Actual reports include full command outputs, digests, control mappings, and a prioritized remediation plan.