# AI Documentation Security URL: https://edu.chainguard.dev/ai-docs-security.md Last Modified: July 30, 2025 Learn about the security measures and compilation process for Chainguard's AI documentation bundles Overview Chainguard’s AI documentation bundles are compiled with multiple security measures to ensure developers can trust the content they’re using with AI coding assistants. This page details our security practices and compilation process. Security Measures 1. Automated Security Scanning Every compilation runs through multiple security checks: Secret Detection: We scan for API keys, tokens, and other sensitive data Pattern Matching: Common secret patterns are automatically redacted File Size Limits: Individual files limited to 10MB, total bundle to 50MB Extension Filtering: Only .md, .html, and .json files are processed 2. Cryptographic Signatures All documentation bundles are signed using Sigstore/Cosign: Keyless Signing: Using OIDC identity verification Transparency Log: All signatures recorded in Rekor Certificate Chain: Full certificate provided for verification Multiple Signatures: Both individual files and bundles are signed 3. Content Integrity We ensure content hasn’t been tampered with: SHA-256 Checksums: For all files in the bundle Signed Checksums: The checksum file itself is signed Build Provenance: GitHub Actions workflow attestations Container Signing: Images signed by immutable digest with Cosign Compilation Process Source Repositories Documentation is compiled from these official repositories: chainguard-dev/edu: Main documentation site chainguard-dev/courses: Learning materials chainguard-images/images-private: Image documentation Build Environment GitHub Actions: Secure, ephemeral build environment Resource Limits: CPU and memory constraints enforced Restricted Egress: Network access limited to required endpoints via StepSecurity Harden Runner Minimal Permissions: Only required repository access What Gets Filtered During compilation, we automatically remove: Environment variables and secrets Internal URLs and endpoints Base64 encoded data blocks Private key materials Authentication tokens Example patterns we redact: api_key=... password=... -----BEGIN PRIVATE KEY----- GitHub tokens (ghp_, ghs_) Verification Guide Container Image Verification Verify the container image signature before pulling documentation: cosign verify ghcr.io/chainguard-dev/ai-docs:latest \ --certificate-identity-regexp ".*github.com/chainguard-dev/edu.*" \ --certificate-oidc-issuer https://token.actions.githubusercontent.com Build Frequency Scheduled Builds: Weekly on Sundays at 2 AM UTC On-Demand: Triggered by documentation changes or cross-repo updates via repository_dispatch Container Distribution: Updated container pushed to GHCR on each build Security Reporting If you discover a security issue: Do NOT open a public issue Email security@chainguard.dev Include: Description of the issue Steps to reproduce Potential impact FAQ Why are some sections marked [REDACTED]? This indicates our security scanner detected potentially sensitive information and removed it to protect our systems and users. Can I build the bundle myself? Yes! The compilation scripts are open source: git clone https://github.com/chainguard-dev/edu cd edu python3 scripts/compile_docs.py How do I verify the build logs? Build logs are public on GitHub Actions: View Build Logs What if verification fails? Ensure you have the latest version of cosign Check your internet connection (for transparency log verification) Try downloading the files again Report persistent issues to support@chainguard.dev Additional Resources Sigstore Documentation Cosign Installation Supply Chain Security Chainguard Security Practices