Continuous Registry Mirroring
Automatically mirror container images from remote registries to your local registry with configurable policies.
suppline
Self-hosted image intake gateway for Kubernetes
Continuous registry mirroring with vulnerability scanning, policy enforcement, and Sigstore attestations. Secure your supply chain with air-gap compatible deployments.
Core Features
Vulnerability Scanning
Integrated Trivy scanning to detect vulnerabilities in mirrored images before they reach your cluster.
Policy Engine
Define and enforce policies using Kyverno to control which images can be deployed in your Kubernetes cluster.
Sigstore Attestations
Generate and verify Sigstore attestations for supply chain security and compliance requirements.
State Persistence
SQLite-based state store to track mirrored images, scan results, and policy decisions across restarts.
REST API
Comprehensive REST API for querying scan results, managing policies, and integrating with external systems.
Observability
Built-in metrics, structured logging, and health checks for monitoring and troubleshooting deployments.
Air-Gap Compatible
Deploy suppline in air-gapped environments with pre-downloaded images and offline policy configurations.
Why Mirror Images?
Increased Availability
Reduce dependency on external registries and ensure images are always available for your deployments.
Decreased Vendor Dependency
Mitigate risks from registry outages, rate limiting, or vendor policy changes.
Improved Supply Chain Security
Scan and validate images before they enter your cluster with comprehensive vulnerability detection.
Air-Gap Deployments
Support disconnected environments with pre-mirrored images and offline policy enforcement.
Compliance & Audit
Maintain audit trails of all mirrored images, scan results, and policy decisions for compliance requirements.
Cost Optimization
Reduce bandwidth costs and registry API calls by caching images locally.
Dashboard Preview
Architecture
Pipeline Components
- Watcher: Monitors configured registries for new or updated images
- Queue: Manages work items for processing
- Worker: Pulls images from remote registries and pushes to local registry
- Scanner: Scans images for vulnerabilities using Trivy
- Policy Engine: Enforces policies using Kyverno
- Attestor: Generates Sigstore attestations for supply chain security
- State Store: Persists scan results and policy decisions
- REST API: Provides access to scan results and system status
Getting Started
-
Configure suppline
Create a configuration file specifying your registries and policies:
creds: - registry: docker.io user: '{{ env "DOCKER_USERNAME" }}' pass: '{{ env "DOCKER_PASSWORD" }}' sync: - source: nginx target: myprivateregistry/nginx type: repository -
Generate Keys
Generate Sigstore keys for attestations and encode the key for config:
cosign generate-key-pair cat cosign.key | base64 -w0 -
Setup Environment
copy the environment template and edit
cp env.template .env vim .env -
Start suppline
Deploy using Docker:
docker compose upor using Helm into your k8s cluster:
helm upgrade --install -f charts/suppline/values.yaml -f charts/suppline/values-secrets.yaml suppline charts/suppline kubectl port-forward svc/suppline-ui 3000:80 -
Verify
Access the dashboard and verify images are being mirrored and scanned.
http://localhost:3000
For detailed documentation and advanced configuration, visit the GitHub repository:
View Full Documentation