Container Hardening, Pipeline Security & SBOM Management. Build software factories that generate compliance evidence as a byproduct of delivery. Iron Bank container hardening, security gates at every pipeline stage, and automated SBOM generation—without slowing down deployment velocity.
Big Bang deploys a standardized set of security and observability tools onto any CNCF-certified Kubernetes cluster. Each component serves a specific compliance function—service mesh for encryption in transit, policy engines for admission control, logging for audit trails.
Thalorin maps Big Bang component health to specific RMF controls. When Istio mTLS degrades, the SC-8 control status updates. When Vault becomes unavailable, SC-12 and SC-28 alert.
Traffic management, mTLS encryption, load balancing between services
Service mesh observability dashboard
Distributed tracing for request flow analysis
Iron Bank contains 1,200+ pre-hardened container images rebuilt every 24 hours. When you need custom images—which you will—they must meet the same Container Hardening Guide standards.
Thalorin tracks container provenance across your deployments. Which Iron Bank images are you using? Which are custom? When do justifications expire?
Start from an approved Iron Bank base (UBI, Alpine, Chainguard). Never build FROM scratch or upstream Docker Hub.
Remove shells where possible. Run as non-root. Drop all capabilities. Set read-only root filesystem. No package managers in final image.
Scan with Twistlock/Prisma. Zero critical CVEs. High CVEs require documented justification or 14-day remediation plan.
Pass OpenSCAP checks against DISA STIG baseline. Every failed rule requires justification or fix.
Submit container to Iron Bank via MR to repo1. Automated pipeline runs all scans. Approval typically 2-4 weeks.
Each pipeline stage runs specific security checks. The tools vary by organization, but the pattern is consistent: scan, enforce thresholds, block on failures, generate evidence.
Thalorin aggregates scan results from every tool in your pipeline into a unified evidence store. When assessors ask "how do you verify no critical CVEs in production?"—you have timestamped proof.
Executive Order 14028 requires SBOM delivery within 30 days of release. The practical challenge: generating accurate SBOMs for containerized applications with hundreds of transitive dependencies.
Thalorin integrates SBOM generation into your build pipeline, archives SBOMs by version, and correlates them with vulnerability data. When a new CVE drops, you know which deployments contain the affected package.
Designed for security. Native VEX support. Good for vulnerability correlation.
Strong license compliance. ISO standard (ISO/IEC 5962:2021). Broad ecosystem.
SBOMs list what's in your software. VEX documents say whether reported vulnerabilities actually affect your deployment. "Yes, log4j is in the image, but the vulnerable code path isn't reachable." VEX prevents false-positive remediation panic.
Code becomes container becomes deployment. At each step, cryptographic signatures prove the artifact wasn't tampered with. The cluster only runs images it can verify came from your pipeline.
Sigstore provides keyless signing—no key management burden. Cosign signs, Rekor provides transparency log, Fulcio issues ephemeral certificates tied to OIDC identity.
git verify-commitcosign verifycosign verify-blobKyverno image verifyAdmission enforcement: Kyverno or OPA Gatekeeper rejects any pod with unsigned or unverified images. The signature check happens at deploy time, every time.
Platform One and similar software factories maintain their own ATO covering infrastructure controls. Tenant applications inherit these controls—you don't re-document how Istio works.
Thalorin maintains control inheritance mappings. When your SSP references platform-provided controls, we link to the authoritative platform documentation and track that the platform ATO remains valid.
Keycloak SSO, namespace RBAC, network policies
EFK stack, Loki, audit logging
GitOps, ArgoCD, Helm value enforcement
Istio mTLS, cert-manager, network segmentation
Falco, container scanning, admission control
The fastest way to undermine DevSecOps is to make security slow and opaque. Developers will work around tools that block them without explanation.
Good DevSecOps gives developers fast feedback, clear remediation guidance, and escape hatches when they need to accept risk. Security becomes a feature of the pipeline, not a gatekeeper outside it.
Developers find issues in IDE or pre-commit, not 20 minutes into a CI run. Shift left means shift fast.
Don't just say 'CVE-2024-1234 detected.' Show the package, the fix version, and the upgrade command.
Dependabot/Renovate PRs for dependency updates. Don't make developers hunt for fixes.
Developers can request risk acceptance with justification. Security reviews, not security blocks.
Thalorin's role: We don't run the scans—your pipeline tools do. We aggregate the results, track exceptions, and present the evidence in formats assessors understand. Developers use their tools; compliance gets its artifacts.
Collect scan results from GitLab, Jenkins, GitHub Actions
Monitor container provenance and approval status
Store, version, and query SBOMs by deployment
Create exploitability statements for false positives
Link tenant SSP to platform control documentation
Track CVE exceptions with expiration and renewal
Component status tied to control families
API for admission webhooks to query Thalorin
See how Thalorin integrates with your CI/CD pipeline to track security evidence from commit to production—without adding friction for developers.