Job Details

Build Secure Multi-Arch Images, Sign, Scan & Deploy with GitHub Actions + Cosign + Trivy

Sep 26, 2025 - MidLevel

$1,450.00 Fixed

Strategic Gap

Your start-up has 12 micro-services (Node, Python, Go) built by different teams. Images are >1 GB, sometimes root-user, no SBOM, no signature, and vulnerabilities are discovered post-deployment. Investors now require software supply-chain compliance ( NTIA SBOM, SLSA L3 roadmap). You need a standardized, secure, CI-native container factory that developers love and auditors accept.

Compliance & Performance Targets

  • Image size ≤ 120 MB (from ~1.2 GB).
  • Zero CVE > HIGH in base images; <5 MEDIUM in final layer.
  • Signed images ( Cosign ) + SBOM ( Syft ) attached in registry.
  • Multi-arch ( amd64 + arm64 ) for Apple M1 laptops and Graviton savings.
  • Non-root user, read-only root filesystem, distroless where possible.

 End-to-End Scope I Will Deliver

  • Base-Line Assessment
    • Dockerfile audit matrix: image size, layer count, USER directive, package manager.
    • Trivy scan baseline JSON → CVE count per severity.
  • Golden Dockerfile Templates
    • Multi-stage pattern: builder (compile) → tester (unit) → runtime (distroless or alpine).
    • ARG targets for amd64/arm64 (TARGETARCH, BUILDPLATFORM).
    • USER 65534 (non-root) + HEALTHCHECK + LABEL metadata (version, commit SHA, build date).
  • CI/CD Pipeline (GitHub Actions)
    • Matrix strategy builds both architectures in parallel ( QEMU + Docker Buildx ).
    • Cache mounts (type=cache,target=/root/.cache) → build time −40 %.
    • Trivy scan gates: job fails if CVE > HIGH; SARIF uploaded to GitHub Security tab.
    • Cosign keyless signing ( OIDC federated ) → attestation stored in GHCR.
    • Syft generates SPDX JSON SBOM → attached to OCI manifest.
  • Registry & Signing Setup
    • GitHub Container Registry ( GHCR ) enabled for organisation.
    • OIDC trust between GitHub and GHCR → no long-lived passwords.
    • Cosign public key uploaded to .well-known/cosign.pub for manual verification.
  • Supply-Chain Verification
    • Policy-controller ( Kubernetes optional ) validates signature + SBOM before admission.
    • SLSA provenance generated ( GitHub native ) → L2 achieved ( L3 roadmap document).
  • Developer Experience & Rollout
    • README template: how to build, scan, sign locally.
    • Makefile shortcuts: make build, make scan, make sign.
    • Brown-bag session ( 45 min Zoom ) recording for engineering teams.
  • Enterprise-Grade Deliverables
    • Golden Dockerfile templates ( Node, Python, Go ) + GitHub Actions workflow YAML.
    • Registry ( GHCR ) organisation setup + OIDC federation Terraform.
    • SBOM & attestation examples ( JSON ) + verification script (cosign verify …).
    • Compliance evidence: Trivy scan, SARIF, SLSA provenance JSON files signed.

Why a Mid-Level Specialist is Critical

  • Cosign & Trivy deep knowledge → avoids supply-chain attacks.
  • Multi-arch + QEMU experience → prevents Graviton surprises.
  • 30-day post-delivery support ( shared Slack channel ) for new micro-services onboarding.
Containerization technologies (e.g., Docker, Kubernetes)
  • United States
  • Proposal: 0
  • Verified
  • Less than a week
Jessica Williams
Jessica Williams Inactive
, United States
Member since
Aug 5, 2025
Total Job
4
Last seen
2 weeks ago