Container deployments today rely on vulnerability scanners, image signers, and admission controllers
to establish software quality before deployment. However, once a container is running, the evidence
that informed the deployment decision is no longer associated with the workload.
This creates a recurring maintenance problem in governance-regulated environments.
Status Quo
SBOM, vulnerability scans, and signatures exist only at build time
Running containers have no structured governance context
Policy changes require manual re-assessment of deployed workloads
Incident response cannot target containers by content
With ConCert
Governance evidence is sealed into the deployment artifact
Every running container is linked to its full supply-chain context
Policy changes automatically propagate to running workloads
Operators can stop containers by CVE, package, or contributor
Approach
ConCert addresses the gap between build-time analysis and runtime enforcement through two mechanisms:
Sealed governance artifact.concert build packages an OCI container image together with its CycloneDX SBOM
(via Syft), vulnerability scan (via Grype), digital signature (via Minisign), and test evidence
into a portable .concert archive. The signed manifest serves as the root of trust;
any modification to bundled evidence is immediately detectable.
Continuous runtime enforcement.
A background orchestrator periodically re-evaluates all managed containers against the active
policy set. When policies change, non-compliant containers are automatically blocked.
Predicate-based selectors enable targeted incident response,
such as concert stop 'VULNs includes CVE-2024-3094'.
Architecture
Governance Dimensions
ConCert evaluates artifacts against six configurable policy dimensions:
Severity GateDeny containers with CRITICAL or HIGH vulnerabilities
CVE Deny ListBlock specific known vulnerabilities by ID
Package Deny ListReject artifacts containing specific packages
Test RequirementsRequire passing test suite evidence
Cryptographic TrustOnly admit artifacts signed by trusted keys
Contributor GovernanceBlock artifacts from compromised maintainers
Screencast
The following screencast demonstrates the full governance workflow: artifact inspection, trust and
policy setup, admission control, predicate-based incident response, continuous governance, and
contributor deny-listing.
Recorded with VHS. The demo script is version-controlled at demo/demo.tape and can be re-recorded with vhs demo/demo.tape.
Reproducibility
ConCert uses a Nix flake for fully reproducible setup.
All dependencies (JDK, Kotlin, Gradle, Syft, Grype, Minisign) are declared in
flake.nix and pinned via flake.lock.
git clone https://github.com/containerutils/ConCert.git && cd ConCert
nix develop
concert --help
Source code, governance rules, test suite (96 automated tests), and demo scripts are available in the
repository.
ConCert operates as a governance layer on top of standard container engines (Docker, Podman).