# Gate 04 — Container security

**State at `v1.1.0`: ✅ PASS** with cosign as a documented follow-up (not a banking blocker yet).

## Required items

| Item                                                               | Required | State                                                               |
| ------------------------------------------------------------------ | -------- | ------------------------------------------------------------------- |
| Multi-stage `Dockerfile` with non-root runtime                     | yes      | ✅ PASS                                                              |
| `container-scan` Trivy job blocks HIGH+CRITICAL fixed vulns        | yes      | ✅ PASS                                                              |
| Tag-driven publish to GHCR with `vX.Y.Z`, `sha-<commit>`, `latest` | yes      | ✅ PASS                                                              |
| Provenance + SBOM attached at publish                              | yes      | ✅ PASS — `provenance: mode=max`, `sbom: true`                       |
| SBOM artefact retained 90 days                                     | yes      | ✅ PASS                                                              |
| Cosign keyless signing                                             | no       | Documented as planned post-cutover enhancement (Gate 08 in Phase 2) |

## Image labels populated

| Label                               | Value                                     |
| ----------------------------------- | ----------------------------------------- |
| `org.opencontainers.image.version`  | `vX.Y.Z`                                  |
| `org.opencontainers.image.revision` | `<commit-sha>`                            |
| `org.opencontainers.image.source`   | `https://github.com/NKAP360-dev/edge-app` |
| `org.opencontainers.image.title`    | `edge-app`                                |
| `org.opencontainers.image.licenses` | `Proprietary`                             |

## Why it matters

`latest` is convenient — and a footgun in prod. The contract is: **prod consumers pin `vX.Y.Z`**, never `latest`. Mutation prevention is enforced by org-level package restrictions on GHCR.

## What's next (Gate 08)

Cosign keyless signing via GitHub OIDC. Verification step at the bank side becomes:

```bash
cosign verify ghcr.io/nkap360-dev/edge-app:vX.Y.Z \
  --certificate-identity "https://github.com/NKAP360-dev/edge-app/.github/workflows/release.yml@refs/tags/vX.Y.Z" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
```

## Compliance mapping

* ISO 27001 Annex A.5.32 (Intellectual property rights — images carry SPDX licence label).
* ISO 27001 Annex A.8.30 (Outsourced development — image provenance).
* DORA Art 11(2)(b) (ICT operational resilience testing — reproducible from artifacts).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.edge.nyami.fr/banking-readiness/gate-04-container-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.