# Scan image for FIPS compliancecleanimg-init --fips-verifier --image myapp:1.0.0 # Output:# ✓ Base image is FIPS-validated (Ubuntu 24.04-fips)# ✓ OpenSSL module is CMVP #4949 (FIPS)# ✓ No non-FIPS crypto libraries detected# ✓ TLS configuration uses FIPS ciphers# ✓ Certificates use FIPS-approved hashing# ✓ Overall compliance: FIPS Level 3 Ready

# Verify FIPS modules used are CMVP-certifiedcleanimg-init --fips-verifier --image myapp:1.0.0 --check-cmvp # Output:# OpenSSL 3.0.10#   CMVP Certification: #4949#   Status: Active#   Tested Algorithms:#     ✓ AES-128/192/256 (GCM, CTR, CBC)#     ✓ RSA-PSS, RSA-PKCS#1-v1_5#     ✓ ECDSA, DSA#     ✓ SHA-256, SHA-384, SHA-512#     ✓ HMAC#   Last Updated: 2024-03-15#   Certificate: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4949

# Verify TLS uses FIPS-approved settingscleanimg-init --fips-verifier --image myapp:1.0.0 --check-tls # Output:# TLS Configuration:# ✓ Minimum Version: TLSv1.2 (FIPS-approved)# ✓ Maximum Version: TLSv1.3 (FIPS-approved)# ✓ Enabled Cipher Suites (all FIPS-approved):#   - ECDHE-RSA-AES256-GCM-SHA384#   - ECDHE-RSA-AES128-GCM-SHA256#   - DHE-RSA-AES256-GCM-SHA384# ✗ Disabled Non-FIPS Ciphers:#   - RC4 (not FIPS-approved)#   - DES (not FIPS-approved)#   - ChaCha20-Poly1305 (not in validated mode)

# Verify certificates use FIPS-approved algorithmscleanimg-init --fips-verifier --image myapp:1.0.0 --check-certs # Output:# Certificate: /etc/nginx/certs/server.crt# ✓ Key Algorithm: RSA-2048 (FIPS-approved, >= 2048-bit required)# ✓ Signature Algorithm: sha256WithRSAEncryption (FIPS-approved)# ✓ Key Usage: Digital Signature, Key Encipherment# ✓ Valid Until: 2026-10-04 (not expired)# ✓ Issuer: CN=Company-CA# Certificate is FIPS-compliant

# Scan for non-FIPS cryptographic librariescleanimg-init --fips-verifier --image myapp:1.0.0 --check-libs # Output:# System Cryptographic Libraries:# ✓ libcrypto.so.3 from /usr/lib/fips (FIPS-validated)# ✓ libssl.so.3 from /usr/lib/fips (FIPS-validated)# ✓ libgcrypt.so from /usr/lib (FIPS-compatible)# ✗ libnettle.so found (NOT FIPS-validated) - may be okay if not used for crypto

# Get overall compliance levelcleanimg-init --fips-verifier --image myapp:1.0.0 --compliance-level # Output can be:# FIPS Level 1: Basic algorithm validation# FIPS Level 2: Tamper detection + CMVP modules (typical for servers)# FIPS Level 3: Tamper resistance (required for sensitive government)# FIPS Level 4: Tamper responsiveness (military/classified) # CleanStart achieves Level 2-3 with:# - CMVP-validated modules (OpenSSL #4949)# - Tamper detection via FIPS-Traces# - Secure key storage

# fips-policy.yamlpolicies:  required-fips-modules:    - openssl:>= 3.0  required-tls-version:    - minimum: TLSv1.2    - maximum: TLSv1.3  blocked-algorithms:    - MD5    - SHA1    - DES    - RC4    - RSA-PKCS#1  # deprecated, use PSS  required-key-sizes:    RSA: >= 2048    ECDSA: >= 256    AES: [128, 192, 256]  certificate-validation:    - require-sha256-or-better    - require-valid-dates    - require-trusted-ca

# Verify image against policycleanimg-init --fips-verifier \  --image myapp:1.0.0 \  --policy fips-policy.yaml # Output shows policy violations:# ✗ VIOLATION: RSA-1024 certificate found (policy requires >= 2048)#   File: /etc/certs/old-cert.crt#   Remediation: Regenerate with RSA-2048## ✓ All other policies passed

name: FIPS Compliance Check on: [pull_request, push] jobs:  fips-verify:    runs-on: ubuntu-latest    steps:      - uses: actions/checkout@v4       - name: Build image        run: docker build -t myapp:${{ github.sha }} .       - name: FIPS Verification        run: |          cleanimg-init --fips-verifier \            --image myapp:${{ github.sha }} \            --policy .github/fips-policy.yaml \            --strict       - name: Generate Report        run: |          cleanimg-init --fips-verifier \            --image myapp:${{ github.sha }} \            --report-format json \            --output fips-report.json       - name: Upload Report        uses: actions/upload-artifact@v3        with:          name: fips-report          path: fips-report.json       - name: Comment on PR        if: github.event_name == 'pull_request'        run: |          # Parse report and post to PR          echo "FIPS Compliance Check Passed" >> $GITHUB_STEP_SUMMARY

apiVersion: admissionregistration.k8s.io/v1kind: ValidatingWebhookConfigurationmetadata:  name: fips-verifier-checkwebhooks:- name: verify-fips.company.com  failurePolicy: Fail  sideEffects: None  admissionReviewVersions: ["v1"]  clientConfig:    service:      name: fips-verifier      namespace: default      path: "/verify"  rules:  - operations: ["CREATE"]    apiGroups: [""]    apiVersions: ["v1"]    resources: ["pods"]

# Generate detailed FIPS compliance reportcleanimg-init --fips-verifier \  --image myapp:1.0.0 \  --report-format html \  --output fips-compliance-report.html # Report includes:# - Executive summary (pass/fail)# - CMVP module validation status# - TLS configuration verification# - Certificate analysis# - Algorithm approval status# - Remediation recommendations# - Timestamp and signature

# JSON report for programmatic usecleanimg-init --fips-verifier \  --image myapp:1.0.0 \  --report-format json \  --output report.json # Can be parsed by scriptscat report.json | jq '.cmvp_modules[] | select(.status != "active")'

# Verify FIPS OpenSSL is installedldd /app/myapp | grep libcrypto# Should show: libcrypto.so => /usr/lib/fips/libcrypto.so # Solution: Rebuild image with FIPS OpenSSL# FROM ubuntu:24.04-fips# RUN apt-get install libssl3-fips openssl-fips

# Check certificate validityopenssl x509 -in /etc/certs/server.crt -text -noout # Verify signature algorithm is FIPS-approvedopenssl x509 -in /etc/certs/server.crt -noout -text | grep "Signature alg"# Should show: sha256WithRSAEncryption (not md5WithRSAEncryption)

# Re-run with verbose outputcleanimg-init --fips-verifier \  --image myapp:1.0.0 \  --policy fips-policy.yaml \  --verbose # Shows exactly which policy checks fail and why