AI Documentation Security

Learn about the security measures and compilation process for Chainguard's AI documentation bundles

3 min read

Overview

Chainguard’s AI documentation bundles are compiled with multiple security measures to ensure developers can trust the content they’re using with AI coding assistants. This page details our security practices and compilation process.

Security Measures

1. Automated Security Scanning

Every compilation runs through multiple security checks:

Secret Detection: We scan for API keys, tokens, and other sensitive data
Pattern Matching: Common secret patterns are automatically redacted
File Size Limits: Individual files limited to 10MB, total bundle to 50MB
Extension Filtering: Only .md, .html, and .json files are processed

2. Cryptographic Signatures

All documentation bundles are signed using Sigstore/Cosign:

Keyless Signing: Using OIDC identity verification
Transparency Log: All signatures recorded in Rekor
Certificate Chain: Full certificate provided for verification
Multiple Signatures: Both individual files and bundles are signed

3. Content Integrity

We ensure content hasn’t been tampered with:

SHA-256 Checksums: For all files in the bundle
Signed Checksums: The checksum file itself is signed
Build Provenance: GitHub Actions workflow attestations
Container Signing: Images signed by immutable digest with Cosign

Compilation Process

Source Repositories

Documentation is compiled from these official repositories:

chainguard-dev/edu: Main documentation site
chainguard-dev/courses: Learning materials
chainguard-images/images-private: Image documentation

Build Environment

GitHub Actions: Secure, ephemeral build environment
Resource Limits: CPU and memory constraints enforced
Restricted Egress: Network access limited to required endpoints via StepSecurity Harden Runner
Minimal Permissions: Only required repository access

What Gets Filtered

During compilation, we automatically remove:

Environment variables and secrets
Internal URLs and endpoints
Base64 encoded data blocks
Private key materials
Authentication tokens

Example patterns we redact:

api_key=...
password=...
-----BEGIN PRIVATE KEY-----
GitHub tokens (ghp_, ghs_)

Verification Guide

Direct Download Verification

# 1. Download files
curl -LO https://github.com/chainguard-dev/edu/releases/download/ai-docs-bundle/chainguard-ai-docs.tar.gz
curl -LO https://github.com/chainguard-dev/edu/releases/download/ai-docs-bundle/chainguard-ai-docs.tar.gz.bundle

# 2. Verify signature (using cosign v3 bundle format)
cosign verify-blob \
  --bundle chainguard-ai-docs.tar.gz.bundle \
  --certificate-identity-regexp ".*github.com/chainguard-dev/edu.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  chainguard-ai-docs.tar.gz

# 3. Extract contents
tar -xzf chainguard-ai-docs.tar.gz

Build Frequency

Scheduled Builds: Weekly on Sundays at 2 AM UTC
On-Demand: Triggered by documentation changes or cross-repo updates via repository_dispatch
Container Distribution: Updated container pushed to GHCR on each build

Security Reporting

If you discover a security issue:

Do NOT open a public issue
Email security@chainguard.dev
Include:
- Description of the issue
- Steps to reproduce
- Potential impact

FAQ

Why are some sections marked [REDACTED]?

This indicates our security scanner detected potentially sensitive information and removed it to protect our systems and users.

Can I build the bundle myself?

Yes! The compilation scripts are open source:

git clone https://github.com/chainguard-dev/edu
cd edu
python3 scripts/compile_docs.py

How do I verify the build logs?

Build logs are public on GitHub Actions:

View Build Logs

What if verification fails?

Ensure you have the latest version of cosign
Check your internet connection (for transparency log verification)
Try downloading the files again
Report persistent issues to support@chainguard.dev

Additional Resources

Last updated: 2025-07-30 10:00