PodArmor docs
Getting started

Overview

What PodArmor does in three minutes.

PodArmor publishes hardened container images. Every image is:

  • Rebuilt continuously — when an upstream patch ships, we rebuild and publish a new immutable tag within hours
  • Scanned end-to-end — every published image has fresh grype + syft output stored alongside it
  • Signed with Cosign — keyless OIDC, verifiable with cosign verify
  • Distributed with SBOMs — SPDX 2.3 + CycloneDX 1.5, both downloadable per image-version

Customer-facing surfaces:

SurfaceURL
Portalhttps://<your-subdomain>.app.podarmor.dev
Public registrypublic.ecr.aws/e8w9b9r7/podarmor/*
Private registry (per customer)<account-id>.dkr.ecr.<region>.amazonaws.com/podarmor/*
Status page/status on your portal subdomain
DocsThis site

Tag scheme

Every image follows the same Chainguard-style tag scheme:

{image}:{upstream}-r{epoch}    ← immutable, pin for reproducibility
{image}:{upstream}             ← rolling within a patch level
{image}:{major.minor}          ← rolling within a minor (future)
{image}:latest                 ← bleeding edge

The r{epoch} is the PodArmor-side rebuild counter. Same upstream version, different rebuild — e.g. maven:3.8.3-r0 vs :3.8.3-r1 are both Maven 3.8.3 from the same upstream tag, but the r1 build has the latest distro patches absorbed.

Pinning advice

  • Reproducible builds: pin to the immutable -r{epoch} tag and rebuild only when you choose to bump
  • Auto-patching: pin to the rolling {upstream} tag; we move the alias to the latest r when we rebuild
  • Bleeding edge: :latest — fine for dev, not for production

What's next

On this page