Docker images
Pull the matching ghcr.io tag:
docker pull ghcr.io/cloudfieldcz/shieldoo-gate:0.19.0
docker pull ghcr.io/cloudfieldcz/scanner-bridge:0.19.0Image pages:
shdg CLI
Push-from-CI client. Pre-built for Linux, macOS, and Windows:
| OS | Arch | Archive |
|---|---|---|
| Linux | x86_64 | shdg-0.19.0-linux-amd64.tar.gz |
| Linux | aarch64 | shdg-0.19.0-linux-arm64.tar.gz |
| macOS | Intel | shdg-0.19.0-darwin-amd64.tar.gz |
| macOS | Apple Silicon | shdg-0.19.0-darwin-arm64.tar.gz |
| Windows | x86_64 | shdg-0.19.0-windows-amd64.zip |
shdg version reports 0.19.0 to match the Docker tag.
Verify archive integrity with SHA256SUMS (also attached).
Supply-chain security
All artifacts are signed and carry SLSA build provenance (keyless, via GitHub OIDC + Sigstore).
- Images — cosign signature + SLSA provenance + CycloneDX SBOM attached as OCI referrers:
cosign verify ghcr.io/cloudfieldcz/shieldoo-gate:0.19.0 \ --certificate-identity-regexp 'https://github.com/cloudfieldcz/.+' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com gh attestation verify oci://ghcr.io/cloudfieldcz/shieldoo-gate:0.19.0 --repo cloudfieldcz/shieldoo-gate - shdg binaries — SLSA provenance:
gh attestation verify shdg-0.19.0-linux-amd64.tar.gz --repo cloudfieldcz/shieldoo-gate - Detached signatures — each archive and
SHA256SUMSalso ships a keyless*.sig+*.pemcert (recognised by OpenSSF Scorecard):The same provenance is also attached ascosign verify-blob \ --signature shdg-0.19.0-linux-amd64.tar.gz.sig \ --certificate shdg-0.19.0-linux-amd64.tar.gz.pem \ --certificate-identity-regexp 'https://github.com/cloudfieldcz/.+' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com shdg-0.19.0-linux-amd64.tar.gzshdg-0.19.0.intoto.jsonl. - SBOMs — the CycloneDX SBOMs dogfooded through the gate are attached (
*.cdx.json) with a detached cosign bundle (*.cdx.json.cosign.bundle):cosign verify-blob --bundle sbom-gate.cdx.json.cosign.bundle \ --certificate-identity-regexp 'https://github.com/cloudfieldcz/.+' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com sbom-gate.cdx.json
Changes (v0.18.1…v0.19.0)
- build(test): migrate e2e-shell test-runner to ubuntu 26.04 (#81) (#92) (d1c91ff)
- feat(scanner-bridge): migrate to guarddog 3.0.2 (+ grpcio-tools 1.81.1, openai 2.44.0) (#91) (c41c4f5)
- build(ci): bump GitHub Actions (setup-go, attest-build-provenance, codeql-action v4) (#90) (b21827a)
- chore(deps): bump the npm-minor-patch group in /ui with 11 updates (#86) (54ce9df)
- chore(deps): bump the gomod-minor-patch group with 3 updates (#84) (16a0a09)