Getting started
Overview
What PodArmor does in three minutes.
PodArmor publishes hardened container images. Every image is:
- Rebuilt continuously — when an upstream patch ships, we rebuild and publish a new immutable tag within hours
- Scanned end-to-end — every published image has fresh grype + syft output stored alongside it
- Signed with Cosign — keyless OIDC, verifiable with
cosign verify - Distributed with SBOMs — SPDX 2.3 + CycloneDX 1.5, both downloadable per image-version
Customer-facing surfaces:
| Surface | URL |
|---|---|
| Portal | https://<your-subdomain>.app.podarmor.dev |
| Public registry | public.ecr.aws/e8w9b9r7/podarmor/* |
| Private registry (per customer) | <account-id>.dkr.ecr.<region>.amazonaws.com/podarmor/* |
| Status page | /status on your portal subdomain |
| Docs | This site |
Tag scheme
Every image follows the same Chainguard-style tag scheme:
{image}:{upstream}-r{epoch} ← immutable, pin for reproducibility
{image}:{upstream} ← rolling within a patch level
{image}:{major.minor} ← rolling within a minor (future)
{image}:latest ← bleeding edgeThe r{epoch} is the PodArmor-side rebuild counter. Same upstream version, different rebuild — e.g. maven:3.8.3-r0 vs :3.8.3-r1 are both Maven 3.8.3 from the same upstream tag, but the r1 build has the latest distro patches absorbed.
Pinning advice
- Reproducible builds: pin to the immutable
-r{epoch}tag and rebuild only when you choose to bump - Auto-patching: pin to the rolling
{upstream}tag; we move the alias to the latestrwhen we rebuild - Bleeding edge:
:latest— fine for dev, not for production