Provenance
Every container image in this release has authenticated provenance. Stock DHI images carry Docker’s full 15-attestation suite; custom images are built with DHI tooling and signed via Sigstore.
Attestation Sources
| Image | Source | Type | Attestations |
|---|---|---|---|
| postgres | dhi.io/postgres:17@sha256:99cb610d5fad... | stock | Docker Hardened Images |
| redis | dhi.io/redis:8@sha256:ed5e2e3edeed... | stock | Docker Hardened Images |
| keycloak | dhi.io/keycloak:26@sha256:f1aa59bc953b... | stock | Docker Hardened Images |
| caddy | dhi.io/caddy:2@sha256:bebd9b1b94a0... | stock | Docker Hardened Images |
| minio | ghcr.io/wellmaintained/packages-dhi/minio | custom | wellmaintained |
| sbomify-app | ghcr.io/wellmaintained/packages-dhi/sbomify-app | custom | wellmaintained |
Stock DHI images — attestations provided by Docker Hardened Images, including SBOM, VEX, SLSA provenance, and 12 additional attestation types.
Custom images — built using DHI YAML definitions with attestations generated by our pipeline: CycloneDX SBOM (scout-sbom-indexer), SPDX SBOM (syft), CVE scan (grype), secrets scan (gitleaks), hand-written VEX, and SLSA provenance (buildx).
Verification
All custom images are signed with Sigstore keyless signing using GitHub Actions’ OIDC identity. Verify signatures with cosign:
cosign verify \
--certificate-identity-regexp="https://github.com/wellmaintained/packages-dhi/" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
ghcr.io/wellmaintained/sbomify-app:v0.1.0Stock DHI images can be verified against Docker’s signing infrastructure:
cosign verify \
--certificate-identity-regexp="https://github.com/docker/" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
dhi.io/postgres:17Source
All source code is available at the tagged release:
- Source tree — browse the full source
- Image definitions — DHI YAML build definitions
- Tool images — tool image digests
- App images — stock and custom image digests