Top-level view of Simple Container (sc): actors, actions, trust
boundaries, and how the build/release/consume chain hangs together.
This is the document for the "show me the system" Baseline check
(OpenSSF Baseline design-doc requirement). Deep-dive design records
for specific components live under docs/design/.
| Actor | Lives at | Trust level |
|---|---|---|
| Developer / Maintainer | Local laptop; pushes to GitHub | Trusted; gated by branch protection + signed commits |
| GitHub Actions runner (build pipeline) | simple-container-com/api workflows |
Trusted within Sigstore identity scope; cosign keyless cert binds output to this runner |
| Sigstore / Fulcio / Rekor | sigstore.dev | External — Mozilla CA-rooted; we trust the public transparency log |
| dist.simple-container.com | GCS bucket behind Cloudflare | Trusted distribution surface; Cloudflare DNSSEC + WAF |
Docker Hub simplecontainer org |
hub.docker.com | Trusted publish surface; org admin held by maintainers |
| End-user CLI invoker | Consumer laptop / CI runner | Untrusted environment; runs sc after sc.sh install verifies signatures |
| Consumer Cloud Account (AWS / GCP / K8s) | Customer's tenant | Provisioned by sc using credentials the consumer supplies; SC has no standing access |
| Pulumi engine | Local to the sc process |
Embedded; trusted within the sc process boundary |
| Cloudflare | DNS + WAF for simple-container.com zone |
Trusted infra surface; account-level admin held by maintainers |
flowchart LR
Dev[Developer]
GH[GitHub Actions<br/>push.yaml]
Sig[Sigstore Fulcio + Rekor]
Dist[dist.simple-container.com<br/>GCS + Cloudflare]
DockerHub[Docker Hub<br/>simplecontainer org]
SCSH[sc.sh installer]
SC[sc CLI on consumer]
Pulumi[(Pulumi engine)]
Cloud[Consumer Cloud<br/>AWS / GCP / K8s]
Dev -- "signed commit -> main" --> GH
GH -- "cosign sign-blob<br/>SLSA L3 attest<br/>SBOM" --> Sig
GH -- "publish tarball<br/>+ .sha256 + .cosign-bundle<br/>+ .sigstore.json + .sbom" --> Dist
GH -- "publish images" --> DockerHub
SCSH -- "curl + cosign verify-blob<br/>against push.yaml identity" --> Dist
SCSH -- "verified install" --> SC
SC -- "sc provision / deploy" --> Pulumi
Pulumi -- "Terraform-like apply<br/>with consumer credentials" --> Cloud
- Maintainer opens PR; CI runs lint/test/Semgrep/CodeQL/fuzz; DCO check enforces
Signed-off-by:. - Maintainer merges with signed commit.
push.yamlfires on push-to-main. preparejob callsreecetech/version-incrementto compute the next calver.build-platformsmatrix buildsscper OS/arch, runs syft → CycloneDX SBOM, cosign sign-blob → bundle,actions/attest-build-provenance→ SLSA Build L3 bundle.docker-buildmatrix builds + signs each published image (caddy, kubectl, cloud-helpers, github-actions).docker-finalizeconsolidates the dist bundle, runswelder tag-release(pushes the git tag), runswelder deploy -e prod(uploads todist.simple-container.com), and (PR #270) runsscripts/create-github-release.shto create the GitHub Release with all signed sidecars attached.
- User runs
curl -sSL https://dist.simple-container.com/sc.sh | bash. sc.shresolves the latest production tarball URL.- Downloads tarball +
.cosign-bundlesidecar. - Runs
cosign verify-blobagainst the production OIDC identity regex^https://github\.com/simple-container-com/api/\.github/workflows/push\.yaml@refs/heads/main$. - If verify passes (or cosign is absent and user opted into graceful fallback), extracts the binary and installs to
$BINDIR/sc. - Optionally installs Pulumi (also SHA256-verified per PR #267).
screads consumer-side cfg files + secrets from environment / SSM / GCP Secret Manager (consumer-held credentials).- Computes the Pulumi stack inputs.
- Invokes Pulumi engine in-process.
- Pulumi applies against consumer's AWS/GCP/K8s account.
scwrites back outputs (URLs, secrets) into consumer's cfg.
| Boundary | Crossing direction | Defense |
|---|---|---|
| Dev → GH Actions | Developer's signed commit reaches the build runner | Branch protection (signed commits required, ≥1 reviewer, DCO trailer enforced) |
| GH Actions → Sigstore | Build runner mints a cosign keyless cert via GitHub OIDC | Sigstore Fulcio validates the OIDC token; ephemeral cert bound to workflow identity |
| Sigstore → dist | Cosign bundle + SLSA attestation flow into the publish artifacts | Sigstore Rekor records every cert issuance in the public transparency log |
| dist → end user | Tarball + sidecars fetched from CDN | DNSSEC + Cloudflare WAF rate-limit; sc.sh verifies signatures before extraction |
| sc CLI → consumer cloud | sc provision calls cloud APIs with consumer credentials |
SC has no standing credentials; consumer-supplied per-invocation |
| External dep ingestion | Go module proxy, pip index, Docker Hub, GitHub releases of installer tools | Hash-pinned (go.sum, --require-hashes, SHA digest); see DEPENDENCIES.md |
For deeper component-level designs, see:
docs/design/cloud-api/01-system-architecture.md— cloud-api system architecturedocs/design/cloud-api/02-database-design.md— database designdocs/design/cloud-api/08-deployment-architecture.md— deployment architecturedocs/design/container-security/component-design.md— container security component designdocs/design/2026-04-07/branch-preview-workflow/architecture.md— branch-preview pipeline- Feature-specific design records under
docs/design/YYYY-MM-DD/
- SECURITY.md — threat model (STRIDE) + attack vectors V1–V5 + responsible-disclosure channels
- DEPENDENCIES.md — dependency selection / obtaining / tracking
- SECRETS-POLICY.md — secret categorisation, storage, rotation cadence
- MAINTAINERS.md — project members with access to sensitive resources
- RELEASES.md — release pipeline, signing chain, vuln-disclosure flow
- ROADMAP.md — public roadmap state (Issues labels, themes, release cadence)