Wolfi OpenSSL FIPS

High-Assurance Cryptographic Infrastructure

 

Welcome to the production-ready, FIPS 140-3 validated OpenSSL environment. Built exclusively on top of the hardened, un-distro Wolfi ecosystem, this project is engineered from the ground up for Zero-Trust environments, strict cryptographic compliance boundaries, and immutable cloud-native workloads.

---

DEPLOYMENT ARTIFACTS

Secure Pull Commands & Cryptographic Digests

Select the pull method that best fits your environment. For production workloads, we recommend pulling by SHA256 Digest to ensure absolute immutability and protection against tag-swapping.

---

Artifact Tiers & Quick Start

Production Distroless Standard Image Development SDK

Zero-Surface Production Environment

Security Policy: Minimalist rootfs with zero shell and zero utilities.

# Pull by Version Tag
docker pull ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless

# Pull by Floating Tag
docker pull ghcr.io/taha2samy/wolfi-openssl-fips:distroless

# Pull by Immutable Digest (Recommended)
docker pull ghcr.io/taha2samy/wolfi-openssl-fips@sha256:2567321540f29d657449350444868fc8110336c28265c86093b4c37c740402b2

Integrity Metadata: * L3 Provenance: View Attestation * CycloneDX SBOM: Download JSON

General Purpose Secure Runtime

Security Policy: Hardened rootfs with interactive shell (/bin/bash) and CLI utilities.

# Pull by Version Tag
docker pull ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5

# Pull by Floating Tag
docker pull ghcr.io/taha2samy/wolfi-openssl-fips:latest

# Pull by Immutable Digest (Recommended)
docker pull ghcr.io/taha2samy/wolfi-openssl-fips@sha256:a83a0e3a1626f2693924f554e769583c7ba9ce830d9ce612d8a3322269a89022

Integrity Metadata: * L3 Provenance: View Attestation * CycloneDX SBOM: Download JSON

FIPS-Linked Build Agent

Security Policy: Includes C toolchain, headers, and build tools for multi-stage compilation.

# Pull by Version Tag
docker pull ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-dev

# Pull by Floating Tag
docker pull ghcr.io/taha2samy/wolfi-openssl-fips:dev

# Pull by Immutable Digest (Recommended)
docker pull ghcr.io/taha2samy/wolfi-openssl-fips@sha256:742cd34ccdd18b8282539208d33f8eaa23323289cb143c18df37bcca100a4cd9

Integrity Metadata: * L3 Provenance: View Attestation * CycloneDX SBOM: Download JSON

---

Cross-Variant Tagging Matrix

Profile	Production (Distroless)	Runtime (Standard)	SDK (Development)
Versioned	3.5.5-distroless	3.5.5	3.5.5-dev
Floating	distroless	latest	dev
Registry	ghcr.io	ghcr.io	ghcr.io

---

Continuous Compliance Engine (Trivy)

Our verification engine leverages Trivy to enforce a Zero-CVE posture and strict operational hardening across all image variants. Every build is cross-referenced against global security benchmarks.

Vulnerability & SBOM Audit

Zero-CVE Verified

• Distroless Report
• Standard Report
• Development Report

CIS Docker Benchmarks

Static analysis of Docker runtime security and host-level best practices.

• Standard
• Distroless
• Development

NSA/CISA Hardening

Validating infrastructure isolation and Kubernetes threat mitigation.

• Standard
• Distroless
• Development

K8s PSS Restricted

Verification of the highest cluster-level workload isolation standards.

• Standard
• Distroless
• Development

---

Infrastructure SAST (KICS)

Security begins at the architecture level. We employ KICS (Keeping Infrastructure as Code Secure) to perform deep static analysis on our Dockerfile and HCL files CI/CD pipelines, ensuring zero misconfigurations are injected into the build environment.

STATUS: 1 SECURITY RISKS IDENTIFIED

Static analysis has flagged configuration anomalies in the build layers.

OPEN FULL KICS AUDIT REPORT

---

Supply Chain Integrity

SLSA Level 3 Compliant & Verified

      

We enforce absolute cryptographic provenance. Every build is governed by strict dependency pinning, signed via Sigstore/OIDC, and accompanied by a verifiable CycloneDX SBOM (Software Bill of Materials).

Immutable Dependencies

Every base image and package is pinned by SHA256 digest in versions.hcl. This ensures byte-for-byte reproducibility and prevents "upstream poisoning" attacks.

Verified Provenance

Cryptographically signed build logs that prove exactly which Git Commit produced the specific image digest you are running.

CycloneDX SBOM

A complete inventory listing every library, header, and compiler version used to construct the FIPS cryptographic boundary.

---

Cryptographic Attestations

Publicly verifiable trust bundles for every artifact variant.

Artifact Variant	L3 Provenance Link	SBOM Download
Distroless Runtime	View Attestation	CycloneDX JSON
Standard Image	View Attestation	CycloneDX JSON
Development SDK	View Attestation	CycloneDX JSON

---

VS

Performance Velocity

High-Speed Cryptography & Ecosystem Benchmarks

High-assurance security does not require a performance penalty. By utilizing Wolfi's rolling-release architecture and OpenSSL 3.5.5, our FIPS-validated module consistently achieves parity with, or outperforms, unhardened packages in legacy LTS distributions.

Zero FIPS Penalty

The Wolfi-FIPS module proves that rigorous integrity checks do not slow down your data. By leveraging AVX/AVX2 instruction sets, we maintain peak velocity for bulk encryption and hashing.

Ecosystem Optimization

| Unlike legacy distros that pin older OpenSSL branches, Wolfi tracks modern upstream optimizations, providing immediate access to hardware acceleration features (AES-NI) for production workloads.

VIEW FULL COMPARATIVE PERFORMANCE AUDIT

---

`

FIPS Functional Integrity

Boundary Verification & State Machine Logic

To ensure the cryptographic state-machine operates within strict FIPS 140-3 parameters, we execute automated Known Answer Tests (KAT) and Power-On Self-Tests (POST) directly against the verified production binaries.

Standard Image Audit

3 VIOLATIONS

View Forensic Functional Report

Distroless Image Audit

3 VIOLATIONS

View Forensic Functional Report

Security Contribution

Our rigorous testing methodology goes beyond basic compliance. During the development of this high-assurance infrastructure using OpenSSL 3.1.2, we identified and documented a Critical Logic Flaw within the official upstream FIPS provider.

Technical Distinction

This finding represents a technical logic bug in the provider's internal state handling. While not classified as a security vulnerability (CVE), its discovery ensures significantly higher reliability for the global OpenSSL ecosystem.

Confirmed Upstream Bug Report:
OpenSSL FIPS Provider — Incorrect Boundary Integrity Logic

VIEW VERIFIED ISSUE #30012 ON GITHUB

Operational Excellence & Developer Experience

Unified Lifecycle Management

We leverage Taskfile to orchestrate the entire project lifecycle—from localized unit testing and image synthesis to comprehensive compliance auditing. By utilizing Docker as Executables combined with Taskfile, we guarantee that the developer experience is bit-for-bit identical to our production CI/CD environment.

CI/CD Parity

Eliminate the "It works on my machine" syndrome. Every command executed in GitHub Actions is available locally via simple task commands.

Encapsulated Tooling

Using Docker-wrapped tools ensures that security scanners, compilers, and linters remain version-consistent across all environments without local pollution.

EXPLORE PROJECT OPERATIONS & WORKFLOWS

---

Return to Top of Dashboard