This repository is an internal tool to generate pre-packaged versions of CTFd.
Actually, it is used to publish the Docker image ctferio/ctfd.
This image integrate our work for direct reuse, plus fits our security policies regarding traceability and auditability regarding Software Supply Chain.
It contains:
For deployment purposes (and especially in the deployment case of Kubernetes), you may want to ensure the integrity of what you run.
The Docker image is SLSA 3 and can be verified using slsa-verifier using the following.
slsa-verifier slsa-verifier verify-image "ctferio/ctfd:<tag>@sha256:<digest>" \
--source-uri "github.com/ctfer-io/ctfd" \
--source-tag "<tag>"Alternatives exist, like Kyverno for a Kubernetes-based deployment.
A SBOM is generated for the Docker image in its manifest, and can be inspected using the following.
docker buildx imagetools inspect "ctferio/ctfd:<tag>" \
--format "{{ json .SBOM.SPDX }}"