Resources

Artifacts, Guides,
and Evidence.

Practical references for FedRAMP teams dealing with container evidence: SBOMs, signatures, provenance, and crypto boundary questions.

View Sample Audit Report Security & Compliance
Downloads

Redacted Samples

These samples show the shape of deliverables. Customer-specific artifacts and SLAs are defined contractually.

SBOM (CycloneDX)

sample-sbom.cdx.json

Used as OCI referrer in our managed image pipelines to provide a complete dependency graph.

Provenance (SLSA)

sample-provenance.intoto.jsonl

In-toto statement proving source-to-artifact lineage for supply chain security.

cosign Verification

sample-cosign-verify.txt

Verification command that your assessor can run to confirm image integrity.

Audit Report

sample-audit-report.md

Executive summary and finding format sample for 3PAO review.

Checklist

FedRAMP Container Evidence

What Your 3PAO Will Ask For

Use this as a quick gap check before assessment.

1. Immutable digests for deployed images (no tag-only deployments) 2. SBOM attached per image release (OCI referrer or documented storage) 3. Signature verification procedure and identity policy (cosign/Sigstore) 4. Provenance attestations (SLSA) for build traceability 5. Crypto boundary and FIPS module certificate references (when applicable) 6. CVE scanning + triage procedure with documented acceptance thresholds 7. Change control log for base image rebuilds

Want us to run this against your images and produce an assessor-ready package? Email us.