About & Audit · ClearCutt Catalog

THE CLEARCUTT BLUEPRINT

Hardened Base Images,
Hermetically Built.

ClearCutt is a free, forkable platform kit for publishing your own hardened base-image fleet — with signatures, SBOM attestations, SLSA provenance, catalog evidence, app-team templates, and governance gates under your own GitHub OIDC identities. You run the pipeline; there is no hosted ClearCutt control plane to trust.

About ClearCutt

Project Status & Readiness: ClearCutt is a pre-1.0 open-source blueprint currently maintained by a single author. The public catalog serves as a worked-example of a live image hardening feed. Before utilizing these runtimes in critical production environments, downstream organizations are strongly encouraged to fork the repository, host their own builds, and conduct independent verification.

ClearCutt is a free, open-source base image blueprint designed for platform and security engineers who want cryptographically certifiable, shell-less runtime containers. Unlike traditional opinionated base OS projects, ClearCutt is a forkable framework built with Nix. Downstream teams are expected to fork this repository to compile and govern their own custom internal container feeds, or overlay safe Nix closures on top of standard base images (like Red Hat UBI or Ubuntu Pro).

Our supply chain pipeline compiles target runtimes as isolated, hermetically-built /nix/store closures. The catalog serves as a live worked-example proving the end-to-end verifiability of our OCI builds, from OIDC-based signing to transparent OpenVEX exploitability records.

Supply Chain Architecture Flow

The end-to-end ClearCutt trust flow coordinates hermetic Nix base compilations, OIDC-based signing and attestation metadata, and Kubernetes dynamic policy checks at admission time:

Structural Hardening & Compliance Traits

Auditing modern cloud-native systems requires proof of configuration. ClearCutt translates traditional soft policies into verifiable, structural traits:

Structural Hardening

The distroless tier omits shells, package managers, and core system utilities. That reduces common shell-spawn escape paths, while keeping the exact boundary visible in the security model.

Cryptographic Overlays

Images expose independently verifiable Sigstore signatures, SBOM attestations, SLSA Build L3 provenance, test evidence, and release metadata that downstream gates can pin to exact workflow identities.

Rescan Without Rebuild

Because an SPDX SBOM is attached to every image, the catalog re-scans it nightly against the current vulnerability database — newly-disclosed CVEs surface without rebuilding the image. A separate scheduled job drafts remediation PRs for review; nothing merges or deploys on its own.

Tiers, at a glance

Distroless

No shells, no coreutils, no package manager. Only the language runtime and CA certificates. Smallest attack surface; not for debugging.

Slim

Adds busybox/bash and minimal troubleshooting tooling. Production runtime when you still want a way in.

Dev

Full compiler toolchain, debug shells, and the transient credential helper. Strictly build-time; never deploy this to clusters.

Runtime closure policy

ClearCutt defaults to a compatibility-first runtime closure, then makes the trade-offs explicit. The baseline keeps the primary language runtime, CA trust, required dynamic libraries, and the transitive packages Nix proves are reachable from that runtime. The slim tier adds only a small diagnostic shell/tool surface. Distroless removes that operator surface.

Packages that exist mainly for optional features, such as Java printing, AWT, fonts, or image codecs, are tracked as pruning candidates instead of being silently removed. The default image should run ordinary workloads without customization; specialized users can fork the Nix closure or adopt a future minimal profile when they can prove they do not need those compatibility edges.

What we attest

SPDX SBOM — emitted by Syft from the actual OCI archive, attached to the manifest as a cosign predicate of type spdxjson.
Test results — a custom predicate recording the vulnerability and structure gates that passed before publication.
SLSA Build L3 provenance — generated by the upstream slsa-github-generator reusable workflow, against the multi-arch manifest digest.
Sigstore keyless signature — cert chain points back to the exact GitHub Actions workflow file and ref that built the image.

The catalog reports those channels independently; provenance never stands in for a missing signature, and vulnerability scans show as pending until every architecture has fresh scan data.

Threat model boundaries

Distroless removes exec()-style shell escapes but does not mitigate every RCE class. Direct syscalls, bundled interpreter APIs, or statically-linked shells inside an application binary are unaffected. See the architectural decisions log in the repo for the full trade-off discussion.

Verifying ClearCutt images

Every published ClearCutt image is expected to carry independent evidence stored with the GHCR manifest: a Sigstore signature (keyless OIDC), an SPDX SBOM attestation, SLSA provenance, and GitHub-native attestations. The catalog marks each evidence channel separately so a missing signature, attestation, or scan is visible instead of being inferred from another signal.

The examples below use clearcutt-corelts pinned to v0.8.1-distroless. Swap in any image from the catalog — the verification flow is identical.

1. Install tools

# macOS / Linux
brew install cosign slsa-verifier crane jq gh

Pinned versions in CI: cosign v3.0+, slsa-verifier v2.7+, crane v0.20+. The gh CLI (step 5) is optional — use it if you prefer GitHub's attestation store over running cosign directly.

2. Verify the signature

ClearCutt uses keyless OIDC — there's no static public key. Instead you assert which workflow file built the image (the cert SAN) and which OIDC issuer signed the cert. The regex below pins both pieces literally.

cosign verify ghcr.io/northcutted/clearcutt/clearcutt-corelts:v0.8.1-distroless \
  --certificate-identity-regexp '^https://github\.com/northcutted/clearcutt/\.github/workflows/release\.yml@refs/heads/main$' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'

3. Verify the SBOM attestation

Confirms the SPDX SBOM on the manifest was produced by the same workflow run that signed the image. Same identity regex as step 2 — never loosen it (matching any workflow under the repo would let any reusable workflow signed in this repo satisfy the check, which defeats the point).

cosign verify-attestation ghcr.io/northcutted/clearcutt/clearcutt-corelts:v0.8.1-distroless \
  --type spdxjson \
  --certificate-identity-regexp '^https://github\.com/northcutted/clearcutt/\.github/workflows/release\.yml@refs/heads/main$' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  | jq '.payload | @base64d | fromjson | .predicate'

4. Verify SLSA L3 provenance

Confirms the build was non-falsifiable — produced by the upstream slsa-github-generator running on hosted GitHub runners, from the protected release branch. The image tag and manifest digest still pin the released artifact.

# Resolve the multi-arch digest first
DIGEST=$(crane digest ghcr.io/northcutted/clearcutt/clearcutt-corelts:v0.8.1-distroless)
slsa-verifier verify-image ghcr.io/northcutted/clearcutt/clearcutt-corelts@$DIGEST \
  --source-uri 'github.com/northcutted/clearcutt' \
  --source-branch 'main'

5. Verify with the GitHub CLI (alternative to cosign)

The same build provenance and SBOM are also published as GitHub-native attestations. If you'd rather not run cosign, gh attestation verify checks them against GitHub's attestation store and the Sigstore public-good transparency log — pinning the repository, workflow identity, and source ref so only attestations produced by the release workflow are trusted.

# Resolve the digest, then verify the GitHub-native attestation
DIGEST=$(crane digest ghcr.io/northcutted/clearcutt/clearcutt-corelts:v0.8.1-distroless)
gh attestation verify oci://ghcr.io/northcutted/clearcutt/clearcutt-corelts@$DIGEST \
  --repo northcutted/clearcutt \
  --cert-identity-regex '^https://github\.com/northcutted/clearcutt/\.github/workflows/release\.yml@refs/heads/main$' \
  --source-ref refs/heads/main

6. Enforce at admission

For Kubernetes, every image detail page exposes a copy-pasteable Kyverno ClusterPolicy that wires the same certificate identity and issuer into a cluster-side admission gate. The policy uses a literal subject (not a regex) for an exact pin.