AI Documentation Security
Learn about the security measures and compilation process for Chainguard's AI documentation bundles
3 min read
Overview
Chainguard’s AI documentation bundles are compiled with multiple security measures to ensure developers can trust the content they’re using with AI coding assistants. This page details our security practices and compilation process.
Security Measures
1. Automated Security Scanning
Every compilation runs through multiple security checks:
- Secret Detection: We scan for API keys, tokens, and other sensitive data
- Pattern Matching: Common secret patterns are automatically redacted
- File Size Limits: Individual files limited to 10MB, total bundle to 50MB
- Extension Filtering: Only
.md,.html, and.jsonfiles are processed
2. Cryptographic Signatures
All documentation bundles are signed using Sigstore/Cosign:
- Keyless Signing: Using OIDC identity verification
- Transparency Log: All signatures recorded in Rekor
- Certificate Chain: Full certificate provided for verification
- Multiple Signatures: Both individual files and bundles are signed
3. Content Integrity
We ensure content hasn’t been tampered with:
- SHA-256 Checksums: For all files in the bundle
- Signed Checksums: The checksum file itself is signed
- Build Provenance: SLSA Level 3 attestations
- Immutable Artifacts: Released versions never change
Compilation Process
Source Repositories
Documentation is compiled from these official repositories:
- chainguard-dev/edu: Main documentation site
- chainguard-dev/courses: Learning materials
- chainguard-images/images-private: Image documentation
Build Environment
- GitHub Actions: Secure, ephemeral build environment
- Resource Limits: CPU and memory constraints enforced
- No Network Access: During compilation phase
- Minimal Permissions: Only required repository access
What Gets Filtered
During compilation, we automatically remove:
- Environment variables and secrets
- Internal URLs and endpoints
- Base64 encoded data blocks
- Private key materials
- Authentication tokens
Example patterns we redact:
api_key=...password=...-----BEGIN PRIVATE KEY------ GitHub tokens (
ghp_,ghs_)
Verification Guide
Direct Download Verification
# 1. Download files
curl -LO https://github.com/chainguard-dev/edu/releases/download/ai-docs/chainguard-ai-docs.tar.gz
curl -LO https://github.com/chainguard-dev/edu/releases/download/ai-docs/chainguard-ai-docs.tar.gz.sig
# 2. Verify signature
cosign verify-blob \
--certificate-identity-regexp ".*github.com/chainguard-dev/edu.*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--signature chainguard-ai-docs.tar.gz.sig \
chainguard-ai-docs.tar.gz
# 3. Extract and verify contents
tar -xzf chainguard-ai-docs.tar.gz
./verification.shContainer Verification
# 1. Verify container signature
cosign verify cgr.dev/chainguard/ai-docs:latest
# 2. Inspect without running
docker create --name temp cgr.dev/chainguard/ai-docs:latest
docker cp temp:/docs/checksums.sha256 .
docker rm temp
# 3. Verify and extract
docker run --rm cgr.dev/chainguard/ai-docs:latest verify
docker run --rm -v $(pwd):/output cgr.dev/chainguard/ai-docs:latest extract /outputBuild Frequency
- Automatic Builds: Daily at 2 AM UTC
- On-Demand: When documentation changes
- Releases: Weekly signed releases
Security Reporting
If you discover a security issue:
- Do NOT open a public issue
- Email security@chainguard.dev
- Include:
- Description of the issue
- Steps to reproduce
- Potential impact
FAQ
Why are some sections marked [REDACTED]?
This indicates our security scanner detected potentially sensitive information and removed it to protect our systems and users.
Can I build the bundle myself?
Yes! The compilation scripts are open source:
git clone https://github.com/chainguard-dev/edu
cd edu
python3 scripts/compile_docs_secure.pyHow do I verify the build logs?
Build logs are public on GitHub Actions:
What if verification fails?
- Ensure you have the latest version of cosign
- Check your internet connection (for transparency log verification)
- Try downloading the files again
- Report persistent issues to support@chainguard.dev
Additional Resources
Last updated: 2025-07-30 10:00