Container Management
Image provenance, lifecycle, and runtime controls for container workloads.
Verifying What's Actually Running in Production: Build Diff vs Runtime Reality
Hash what's actually executing in production, diff it against the build artifact, and catch agent-authored Dockerfile drift before an incident makes you wish you had.
Container Provenance for AI-Generated Builds: SLSA Attestations When the Source Is Half Human, Half Agent
How to issue SLSA Build provenance attestations on container images when an autonomous coding agent contributed to the Dockerfile, the build script, or the source — without losing the audit trail.
Pinning Base Images When AI Agents Author Dockerfiles
Coding agents reach for `:latest` by reflex. Here is the SHA-pinning, Renovate-driven workflow that lets agents touch Dockerfiles without breaking your supply chain.
SBOM Diff for Container Updates Authored by Coding Agents
When an autonomous agent rewrites a Dockerfile or bumps a dependency, you want a CycloneDX SBOM diff in the PR — not a CVE in production. Here is the pattern.
Detecting Drift Between Dev Container and Prod Image
When agents iterate locally inside a devcontainer, the prod image you ship can quietly diverge. Cosign attestation diffs catch the gap before incidents do.
Gold Images for Incident Response: How to Verify That What's Running Is What You Built
Using hardened base images, cryptographic signing, and policy enforcement to answer 'is this container what we actually built?' during an incident.