Hardened Base Images,
Evidence Built In.
Fork the kit · Own the trust chain
ClearCutt is a free, forkable platform kit for publishing your own hardened base-image fleet — with signatures, SBOM attestations, SLSA provenance, catalog evidence, app-team templates, and governance gates under your own GitHub OIDC identities. You run the pipeline; there is no hosted ClearCutt control plane to trust.
One kit, from fleet ownership to app updates
Managers see the operating outcome; platform engineers can follow each step into commands, workflow evidence, and policy hooks.
- 1 Own the fleet
Platform teams fork the kit and turn base images into governed source, not a vendor dependency.
clearcutt.fleet.yaml · Nix matrix · platform status
- 2 Publish evidence
Release workflows produce signed images, SBOMs, provenance, scans, and a catalog that shows each channel independently.
catalog build · release evidence · SLSA + Sigstore
- 3 Onboard apps
App teams get matching dev images, starter templates, and rebasable build paths without learning Nix.
list · inspect · dev · app template/build
- 4 Gate delivery
CI and admission policies block images that miss your runtime, evidence, or vulnerability contract.
certify · verify · conformance · policy
- 5 Operate updates
Security teams triage findings, document exceptions, and move compatible app layers onto patched bases under review.
scan · remediation · VEX · app diff-base/rebase
Application developers don't need Nix — pull, run, and verify the published images with plain Docker, Podman, or Kubernetes. Nix is only for the platform team authoring the fleet.
See the CLI in action
The statically compiled clearcutt Go CLI handles base-image discovery, local policy-gate verification, and byte-for-byte base rebases — all offline, no Docker daemon or Nix required.
The panel is an illustrative walk-through of real command shapes — scripted sample output, not a live run. Verify any image yourself from the audit guide.
Interactive Platform Perspective
Switch perspectives to see how ClearCutt serves both platform engineering teams and security auditors.
Hermetic Store Closures
Nix-based hermetic compilation prevents untracked package injection. Read how downstream forks run bit-for-bit reproducibility checks on their Nix store closures. Run verification checks →
Structural Hardening
ClearCutt distroless images reduce runtime utility surface by omitting shells, package managers, and core system tools. The security model names what that proves, and what it does not.
High Reusability
Forkable platform kit. Publish your own signed fleet, catalog site, app templates, CI/CD checks, admission policies, and approved remediation PR flow.
Verifiable Store Closures
Hermetic Nix compilations ensure only transitively reachable packages enter the closure. Every byte can be traced back to its declarative source.
OIDC Verification Gates
Verify keyless signatures at cluster admission using GitHub OIDC identities. Prevent the execution of unsigned or altered OCI containers.
Exploitability Triage
Assess real risk with OpenVEX records instead of raw CVE noise. Zero-rebuild triage separates inert base issues from active exposure.
northcutted/clearcutt blueprint. These images are verified worked-examples of our hardening methods. Organizations should fork this blueprint repository to compile, sign, and host their own internal production-grade base image feeds under their own OIDC identities.
Supply Chain Health & Telemetry
Catalog Compiled: 6/4/2026, 7:57:02 AM • Target: ghcr.io/northcutted/clearcuttAll images keyless OIDC signed
All images have SLSA Build L3 provenance
Distroless Shell-Free
declarative target closures