Knowledge Hub

Developer Quickstart: Zero to Secure Container in 15 Minutes

Deploy a secure, scanned, signed container image to production in 15 minutes.

Goal

Deploy a secure, scanned, signed container image to production in 15 minutes.

The following diagram illustrates the 15-minute quickstart flow from setup through deployment:

graph LR    A["Setup<br/>7 min"] -->|2 min| B["Install<br/>clnstrt-cli"]     A -->|2 min| C["Get<br/>API Key"]     A -->|3 min| D["Create<br/>App"]     B -->|Verify| E["clnstrt-cli<br/>--version"]     C -->|Export| F["CLEANSTART<br/>_API_KEY"]     D -->|Write| G["app.py<br/>Dockerfile"]     E -->|Build<br/>2 min| H["docker build<br/>-t my-app:v1"]     G -->|Build| H     H -->|Generate<br/>1 min| I["clnstrt-cli<br/>generate-sbom"]     I -->|Output| J["sbom.spdx<br/>SPDX Format"]     J -->|Analyze<br/>2 min| K["clnstrt-cli<br/>verify"]     K -->|Check| L["CVEs<br/>Dependencies<br/>Compliance"]     L -->|Sign<br/>1 min| M["clnstrt-cli<br/>sign"]     M -->|Output| N["Cosign<br/>Signature"]     N -->|Push<br/>1 min| O["docker push<br/>to registry"]     O -->|Registry| P["YOUR_REGISTRY<br/>my-app:v1"]     P -->|Deploy<br/>1 min| Q["docker run<br/>my-app:v1"]     Q -->|Result| R["Secure<br/>Signed<br/>Container<br/>Running"]     style A fill:#ffff99    style H fill:#ccffcc    style I fill:#ccffcc    style K fill:#ccffcc    style M fill:#ccffcc    style R fill:#99ff99

Prerequisites

You will need Docker or Podman installed on your system. You'll also need access to a container registry such as Docker Hub, GCR, ECR, or another compatible registry service. The clnstrt-cli tool should be installed (which takes about 5 minutes), and you'll need an API key from the CleanStart portal (about 2 minutes to obtain).

Setup: 7 minutes total

Step 1: Install CLI (2 minutes)

curl -sSL https://releases.cleanstart.dev/clnstrt-cli-latest.tar.gz | tar xzchmod +x ./clnstrt-clisudo mv ./clnstrt-cli /usr/local/bin/clnstrt-cliclnstrt-cli --version

Step 2: Get API Key (2 minutes)

# Go to https://portal.cleanstart.dev# 1. Sign up or log in# 2. Account → API Keys# 3. Click "Generate New Key"# 4. Copy key export CLEANSTART_API_KEY="cs_live_abc123def456..."

Step 3: Create Application (2 minutes)

mkdir my-secure-app && cd my-secure-app # Create simple appcat > app.py << 'EOF'from flask import Flaskapp = Flask(__name__) @app.route('/')def hello():    return 'Hello from CleanStart!' if __name__ == '__main__':    app.run(host='0.0.0.0', port=8080)EOF # Create Dockerfile using CleanStart basecat > Dockerfile << 'EOF'FROM gcr.io/cleanstart-images/runtimes/python:3.12-prod WORKDIR /appCOPY app.py . RUN pip install flask EXPOSE 8080CMD ["python", "app.py"]EOF

Step 4: Build Image (2 minutes)

docker build -t my-app:v1 .docker tag my-app:v1 YOUR_REGISTRY/my-app:v1

Step 5: Generate SBOM (1 minute)

clnstrt-cli generate-sbom \  --image my-app:v1 \  --format spdx \  --output sbom.spdx cat sbom.spdx | head -20

Step 6: Analyze Dependencies (2 minutes)

clnstrt-cli analyze-dependencies \  --sbom sbom.spdx \  --include-threat-intel # Output shows:# Python 3.12: 0 vulnerabilities# Flask 2.3.2: 0 vulnerabilities# Risk Score: 0.0 (Perfect)# Status: SAFE TO DEPLOY

Step 7: Sign Image (1 minute)

clnstrt-cli sign \  --image YOUR_REGISTRY/my-app:v1 \  --key cosign.key \  --attestations sbom.spdx # Output:# Image signed successfully# Attestation attached: sbom

Step 8: Push to Registry (1 minute)

docker login YOUR_REGISTRYdocker push YOUR_REGISTRY/my-app:v1

Step 9: Verify Signature (1 minute)

clnstrt-cli verify \  --image YOUR_REGISTRY/my-app:v1 \  --key cosign.pub \  --require-attestations sbom # Output:# Signature verified# SBOM attestation present# All checks passed

Step 10: Generate Report (1 minute)

clnstrt-cli risk-report \  --image YOUR_REGISTRY/my-app:v1 \  --format html \  --output security-report.html open security-report.html

Timeline

Install CLI               2 minGet API key             2 minCreate application      2 minBuild image             2 minGenerate SBOM           1 minAnalyze dependencies    2 minSign image              1 minPush to registry        1 minVerify signature        1 minGenerate report         1 min─────────────────────────────TOTAL                  15 minProduction-ready image

Deploying to Kubernetes (Bonus: 5 minutes)

kubectl create namespace my-app cat > deployment.yaml << 'EOF'apiVersion: apps/v1kind: Deploymentmetadata:  name: my-app  namespace: my-appspec:  replicas: 3  selector:    matchLabels:      app: my-app  template:    metadata:      labels:        app: my-app    spec:      containers:      - name: app        image: YOUR_REGISTRY/my-app:v1        ports:        - containerPort: 8080        resources:          requests:            cpu: 100m            memory: 128Mi          limits:            cpu: 500m            memory: 512Mi        securityContext:          runAsNonRoot: true          readOnlyRootFilesystem: trueEOF kubectl apply -f deployment.yamlkubectl get pods -n my-app

What You've Accomplished

You have secured your application with a hardened base image from CleanStart. You generated a complete Software Bill of Materials (SBOM) showing all dependencies. You checked for vulnerabilities and verified that there are no critical issues. You signed your image cryptographically to prove authenticity. You verified the signature when pulling from your registry. You generated comprehensive compliance documentation. Your image is now production-ready and can be deployed to Kubernetes with full supply chain security.

Next Steps

1. Automate with CI/CD

GitHub Actions:

name: Build & Sign on: [push] jobs:  build:    runs-on: ubuntu-latest    steps:      - uses: actions/checkout@v3      - run: docker build -t my-app:${{ github.sha }} .      - run: clnstrt-cli sign --image my-app:${{ github.sha }} --key cosign.key      - run: docker push my-app:${{ github.sha }}

2. Monitor for New Vulnerabilities

intelligence monitor \  --packages sbom.spdx \  --interval 24h \  --webhook https://your-system.com/alerts \  --email security@company.com

3. Enforce Security Policies

intelligence policy generate \  --template strict \  --name "Production Policy" \  --output prod-policy.yaml intelligence policy apply \  --policy prod-policy.yaml \  --image YOUR_REGISTRY/my-app:v1

Troubleshooting

"Image not found"

docker images | grep my-appdocker pull YOUR_REGISTRY/my-app:v1

"API key invalid"

echo $CLEANSTART_API_KEY# Regenerate in portal if needed

"SBOM analysis failed"

clnstrt-cli analyze-dependencies \  --sbom sbom.spdx \  --verbose

"Signature verification failed"

cat cosign.pub | head -5clnstrt-cli sign --image YOUR_REGISTRY/my-app:v1 --key cosign.key

Resources

CLI Reference: https://docs.cleanstart.dev/cli, Image Catalog: https://images.cleanstart.dev, API Docs: https://api.cleanstart.dev/docs, Community: https://slack.cleanstart.dev, and Email: support@cleanstart.dev.

Congratulations! You now have a production-ready, secure container image. 🎉

Next: Explore advanced features like multi-image scanning, custom policies, and supply chain monitoring.