DevSecOps Software Factory
Container Hardening, Pipeline Security & SBOM Management. Build software factories that generate compliance evidence as a byproduct of delivery. Iron Bank container hardening, security gates at every pipeline stage, and automated SBOM generation—without slowing down deployment velocity.
Big Bang component stack
Big Bang deploys a standardized set of security and observability tools onto any CNCF-certified Kubernetes cluster. Each component serves a specific compliance function—service mesh for encryption in transit, policy engines for admission control, logging for audit trails.
Thalorin maps Big Bang component health to specific RMF controls. When Istio mTLS degrades, the SC-8 control status updates. When Vault becomes unavailable, SC-12 and SC-28 alert.
Traffic management, mTLS encryption, load balancing between services
Service mesh observability dashboard
Distributed tracing for request flow analysis
Iron Bank hardening process
Iron Bank contains 1,200+ pre-hardened container images rebuilt every 24 hours. When you need custom images—which you will—they must meet the same Container Hardening Guide standards.
Thalorin tracks container provenance across your deployments. Which Iron Bank images are you using? Which are custom? When do justifications expire?
Start from an approved Iron Bank base (UBI, Alpine, Chainguard). Never build FROM scratch or upstream Docker Hub.
Remove shells where possible. Run as non-root. Drop all capabilities. Set read-only root filesystem. No package managers in final image.
Scan with Twistlock/Prisma. Zero critical CVEs. High CVEs require documented justification or 14-day remediation plan.
Pass OpenSCAP checks against DISA STIG baseline. Every failed rule requires justification or fix.
Submit container to Iron Bank via MR to repo1. Automated pipeline runs all scans. Approval typically 2-4 weeks.
Security gates that produce evidence
Each pipeline stage runs specific security checks. The tools vary by organization, but the pattern is consistent: scan, enforce thresholds, block on failures, generate evidence.
Thalorin aggregates scan results from every tool in your pipeline into a unified evidence store. When assessors ask "how do you verify no critical CVEs in production?"—you have timestamped proof.
SBOM generation & VEX
Executive Order 14028 requires SBOM delivery within 30 days of release. The practical challenge: generating accurate SBOMs for containerized applications with hundreds of transitive dependencies.
Thalorin integrates SBOM generation into your build pipeline, archives SBOMs by version, and correlates them with vulnerability data. When a new CVE drops, you know which deployments contain the affected package.
CycloneDX
OWASPDesigned for security. Native VEX support. Good for vulnerability correlation.
SPDX
Linux FoundationStrong license compliance. ISO standard (ISO/IEC 5962:2021). Broad ecosystem.
NTIA Minimum Elements (required)
VEX: Vulnerability Exploitability eXchange
SBOMs list what's in your software. VEX documents say whether reported vulnerabilities actually affect your deployment. "Yes, log4j is in the image, but the vulnerable code path isn't reachable." VEX prevents false-positive remediation panic.
Artifact signing & provenance
Code becomes container becomes deployment. At each step, cryptographic signatures prove the artifact wasn't tampered with. The cluster only runs images it can verify came from your pipeline.
Sigstore provides keyless signing—no key management burden. Cosign signs, Rekor provides transparency log, Fulcio issues ephemeral certificates tied to OIDC identity.
git verify-commitcosign verifycosign verify-blobKyverno image verifyAdmission enforcement: Kyverno or OPA Gatekeeper rejects any pod with unsigned or unverified images. The signature check happens at deploy time, every time.
Platform control inheritance
Platform One and similar software factories maintain their own ATO covering infrastructure controls. Tenant applications inherit these controls—you don't re-document how Istio works.
Thalorin maintains control inheritance mappings. When your SSP references platform-provided controls, we link to the authoritative platform documentation and track that the platform ATO remains valid.
Typically Inherited from Platform
Keycloak SSO, namespace RBAC, network policies
EFK stack, Loki, audit logging
GitOps, ArgoCD, Helm value enforcement
Istio mTLS, cert-manager, network segmentation
Falco, container scanning, admission control
You're Still Responsible For:
- Application-specific access control logic
- Application-level logging (what your code logs)
- Secrets your application uses (not how Vault works)
- Application vulnerability remediation
- SBOM for your application dependencies
Security that developers don't hate
The fastest way to undermine DevSecOps is to make security slow and opaque. Developers will work around tools that block them without explanation.
Good DevSecOps gives developers fast feedback, clear remediation guidance, and escape hatches when they need to accept risk. Security becomes a feature of the pipeline, not a gatekeeper outside it.
Fast feedback
Developers find issues in IDE or pre-commit, not 20 minutes into a CI run. Shift left means shift fast.
Clear remediation
Don't just say 'CVE-2024-1234 detected.' Show the package, the fix version, and the upgrade command.
Automated fixes
Dependabot/Renovate PRs for dependency updates. Don't make developers hunt for fixes.
Self-service exceptions
Developers can request risk acceptance with justification. Security reviews, not security blocks.
Thalorin's role:We don't run the scans—your pipeline tools do. We aggregate the results, track exceptions, and present the evidence in formats assessors understand. Developers use their tools; compliance gets its artifacts.
Software factory capabilities
Collect scan results from GitLab, Jenkins, GitHub Actions
Monitor container provenance and approval status
Store, version, and query SBOMs by deployment
Create exploitability statements for false positives
Link tenant SSP to platform control documentation
Track CVE exceptions with expiration and renewal
Component status tied to control families
API for admission webhooks to query Thalorin
Ready to build a compliant software factory?
See how Thalorin integrates with your CI/CD pipeline to track security evidence from commit to production—without adding friction for developers.