Image Catalog

Pull. Verify.
Ship Evidence.

Catalog of FLAMED images and verification procedures. Deliverables, SLAs, and acceptance thresholds are defined contractually by tier.

Request Access Download Samples
Catalog

Runtimes + Core Images

Hosted on GHCR. Signed. SBOMs and provenance available on all tags.

Image Tag Base Crypto SBOM Status
flamed-us/node-fips 20, 20.x.x wolfi OpenSSL 3.0 FIPS CycloneDX Available
flamed-us/node-fips 18, 18.x.x wolfi OpenSSL 3.0 FIPS CycloneDX Available
flamed-us/core-fips latest, YYYYMMDD wolfi OpenSSL (as configured) CycloneDX Available

Note: tags shown here are illustrative. Under contract, we can pin and publish immutable digests.

Verify

Verification Steps

These are the checks we expect a security team or assessor to run.

Verify Signature

cosign verify \ --certificate-identity-regexp="https://github.com/flamed-us/node-fips" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ ghcr.io/flamed-us/node-fips:20
sample-cosign-verify.txt

Retrieve SBOM

We publish SBOMs alongside images as OCI artifacts. Your contract will define the exact storage location.

sample-sbom.cdx.json

Provenance

We generate provenance attestations to support build traceability and audit requirements.

sample-provenance.intoto.jsonl

Audit Report

For audits, we deliver a written report with findings, evidence commands, and remediation plans.

sample-audit-report.md