Skip to main content

Security disclosure (v1)

At Aleph Alpha, we prioritise the security and sovereignty of your data throughout all layers of the PhariaAI suite, ensuring robust protection while maintaining full compliance with industry standards. We conduct regular vulnerability scanning and implement comprehensive security measures to safeguard your installation while providing you with complete control over your confidential information.

Legacy Method - Being Phased Out

This page describes the legacy ORAS-based security approach that is being phased out during Q4/2025.
For new images, we are migrating to a Cosign-based approach described in the Source Attestation (v2) page.

If an image you're working with doesn't have ORAS attachments as described here, it has likely already migrated to the new Cosign flow.

ORAS attachments

OCI Registry As Storage (ORAS) is a tool that enables pushing and pulling OCI artifacts to and from OCI registries, allowing us to attach security-related artifacts to our container images.

Attached security artifacts

During our build process, we attach three critical security artifacts to our container images using ORAS:

  1. Software bill of materials (SBOM): We generate a comprehensive SBOM using Trivy and attach it to each image. It lists all components and dependencies.

  2. Trivy build-time scan reports: Each image undergoes a security scan using Trivy during build time, and we attach the full scan report as an artifact.

  3. Triage whitelist: We maintain a whitelist of known issues that have been triaged and deemed acceptable for specific use cases. This is used as a .trivyignore file during the CVE scan. It is attached to the image to provide context for vulnerability management.

Retrieving ORAS attachments

You first need to install two tools:

You then log into our artifact registry on JFrog:

oras login alephalpha.jfrog.io

To access the attached security artifacts, you can do either of the following:

  • Use the ORAS client manually
  • Use a bash script

Manually using the ORAS client

  1. Run ORAS discover:
oras discover alephalpha.jfrog.io/pharia-studio-images/studio-backend:v0.1.25 --format json | jq '.'
  1. Identify the artifact you want to download. For example, the artifactType for the SBOM is application/aa.trivy.sbom.
oras discover alephalpha.jfrog.io/pharia-studio-images/studio-backend:v0.1.25 --format json | jq '.manifests[].artifactType'
"application/aa.trivy.report"
"application/aa.trivy.triage"
"application/vnd.goharbor.harbor.sbom.v1"
"application/aa.trivy.sbom"
  1. Do an ORAS pull to download the relevant artifact:
oras pull alephalpha.jfrog.io/pharia-studio-images/studio-backend@sha256:f6ccb6f77c4aefb3a1565e1872c983feb69d02f82a0cf56e430a0740e454e9f0

Using a bash script

Here is a representative script that you can use to fetch security artifacts:

#!/bin/bash

# Check for required commands
for cmd in oras jq; do
    if ! command -v "$cmd" >/dev/null 2>&1; then
        echo "Error: $cmd is not installed"
        echo "Please install $cmd:"
        case "$cmd" in
            "oras")
                echo "  - Using Homebrew: brew install oras"
                echo "  - Using MacPorts: port install oras"
                ;;
            "jq")
                echo "  - Using Homebrew: brew install jq"
                echo "  - Using MacPorts: port install jq"
                ;;
        esac
        exit 1
    fi
done

if [ -z "$1" ]; then
    echo "Usage: $0 <artifact-type> <image-name>"
    echo "available artifact types: report, sbom, triage"
    exit 1
fi

ARTIFACT_TYPE="application/aa.trivy.$1"
IMAGE_NAME=$2

# Discover manifests for the image
if ! ORAS_DISCOVER_OUTPUT=$(oras discover "$IMAGE_NAME" --format json); then
    echo "Failed to discover manifests for image $IMAGE_NAME"
    exit 1
fi

# Find the available manifests for the image
MANIFEST_INFO=$(echo "$ORAS_DISCOVER_OUTPUT" | jq -r '.manifests[] | select(.artifactType == "'"$ARTIFACT_TYPE"'")')

if [ -z "$MANIFEST_INFO" ]; then
    echo "Error: No manifest found with artifactType '$ARTIFACT_TYPE', available artifact types: report, sbom, triage"
    exit 1
fi

# Fetch the manifests and get the digest of the first layer
MANIFEST_DIGEST=$(oras manifest fetch "$(jq -r '.reference' <<< "$MANIFEST_INFO")" | jq -r '.layers[0].digest')


# Get the image name without the version
if [[ "$IMAGE_NAME" =~ "@" ]]; then
    IMAGE_WITHOUT_VERSION=$(echo "$IMAGE_NAME" | cut -d '@' -f 1)
else
    IMAGE_WITHOUT_VERSION=$(echo "$IMAGE_NAME" | cut -d ':' -f 1)
fi

oras blob fetch --output - "$IMAGE_WITHOUT_VERSION"@"$MANIFEST_DIGEST"

Save your script to a file (for example, fetch-artifact.sh) and make it executable:

chmod +x fetch-artifact.sh

Fetch the SBOM

To retrieve the SBOM for a specific image:

./fetch-artifact.sh sbom alephalpha.jfrog.io/pharia-studio-images/studio-backend:v0.1.25 > sbom.json

The SBOM is in CycloneDX JSON format.

Fetch the Trivy scan report

To retrieve the Trivy vulnerability scan report:

./fetch-artifact.sh report alephalpha.jfrog.io/pharia-studio-images/studio-backend:v0.1.25 > trivy-report.json

Fetch the triage whitelist

To retrieve the triage whitelist:

./fetch-artifact.sh triage alephalpha.jfrog.io/pharia-studio-images/studio-backend:v0.1.25 > triage.toml