The following diagram illustrates key security concepts and their relationships across the container supply chain:

graph TB    A["Supply Chain<br/>End-to-End"] -->|Source| B["Repository<br/>Code"]     B -->|Build| C["Provenance<br/>How Built"]     C -->|Analyze| D["SBOM<br/>Bill of<br/>Materials"]     D -->|Scan| E["CVE<br/>Vulnerabilities"]     E -->|Assess| F["CVSS/EPSS<br/>Severity<br/>Exploitability"]     F -->|Check| G["Policy<br/>Security<br/>Rules"]     G -->|Attest| H["Attestation<br/>Cryptographic<br/>Proof"]     H -->|Sign| I["Signature<br/>Authenticity"]     I -->|SLSA| J["Supply Chain<br/>Integrity<br/>Level 4"]     J -->|Verify| K["Cosign<br/>Signature<br/>Verification"]     K -->|Deploy| L["Distroless<br/>Ultra-minimal<br/>Image"]     L -->|Protect| M["OCI<br/>Standard<br/>Container"]     A -->|Threats| N["Malware<br/>Injection<br/>Payload"]     N -->|Detect| O["SAST<br/>Code<br/>Analysis"]     N -->|Monitor| P["MITRE ATT&CK<br/>Tactics<br/>Techniques"]     O -->|Remediate| Q["Fix<br/>Patch<br/>Update"]     P -->|Respond| Q     E -->|Intelligence| R["KEV<br/>Known<br/>Exploited"]     R -->|Data| S["NVD<br/>OSV<br/>GHSA"]     S -->|Feed| T["Intelligence<br/>Core<br/>Threat DB"]     T -->|Warn| U["Risk Score<br/>Likelihood<br/>Impact"]     K -->|Manage| V["Namespace<br/>Registry<br/>Path"]     V -->|Ecosystem| W["npm, PyPI<br/>Maven, Go<br/>Rust"]     W -->|Standards| X["SPDX<br/>FIPS<br/>Helm"]     style A fill:#99ccff    style C fill:#99ccff    style D fill:#ccffcc    style E fill:#ffcccc    style H fill:#ccccff    style K fill:#99ff99    style L fill:#99ff99    style M fill:#ffff99

A-D

Attestation — Cryptographic statement about a software artifact (SBOM, provenance, scan results).

ATLAS — MITRE ATT&CK framework for AI/ML security attack tactics.

Attack Vector — Means of exploiting a vulnerability (network, physical, local, adjacent).

CVE — Common Vulnerabilities and Exposures; standardized identifier (e.g., CVE-2024-1234).

CVSS — Common Vulnerability Scoring System; severity metric (0.0-10.0: Low, Medium, High, Critical).

Cosign — Tool for signing and verifying container images using cryptographic keys.

Dependency — External library or package required by software.

Distroless — Ultra-minimal images with only binaries and runtime, no shell.

E-H

Ecosystem — Package management system (npm, PyPI, Maven, Go, Rust, etc.).

EPSS — Exploit Prediction Scoring System; likelihood of real-world exploitation.

FIPS — Federal Information Processing Standards; US government cryptography standards (140-2, 140-3).

GHSA — GitHub Security Advisory; vulnerability database by GitHub.

Helm — Kubernetes package manager using charts for deployments.

I-M

Injection — Inserting code, certificates, or configuration into container images without rebuilding.

Intelligence Core — CleanStart's threat intelligence and vulnerability analysis system.

KEV — Known Exploited Vulnerabilities; CISA list of actively exploited CVEs.

Layer — Individual filesystem snapshot in a container image (read-only).

Malware — Malicious software designed to harm systems or steal data.

MITRE ATT&CK — Framework of adversary tactics and techniques from real-world observations.

N-P

Namespace — Registry path (e.g., gcr.io/my-project/my-app); also K8s resource isolation.

NVD — National Vulnerability Database; US government CVE database.

OCI — Open Container Initiative; container image and registry standards.

OSV — Open Source Vulnerabilities database; ecosystem-specific data.

Patch — Security update or bug fix by vendor.

Payload — Data or code delivered by malicious software to perform intended action.

Policy — Security rules defining allowed/forbidden software (vulnerabilities, attestations).

Provenance — Record of how software was built (environment, dependencies, build actions).

R-S

Remediation — Action taken to fix or mitigate vulnerability/security issue.

Repository — Storage for source code or container images.

Risk Score — Numerical assessment of vulnerability severity (exploitability, impact, context).

SBOM — Software Bill of Materials; inventory of all components in application.

SAST — Static Application Security Testing; code analysis without execution.

Severity — Rating of vulnerability impact (Critical, High, Medium, Low, Info).

Signature — Cryptographic proof of authenticity and integrity.

SLSA — Supply Layer Security Assurance; framework for artifact integrity and provenance.

SPDX — Software Package Data Exchange; standard SBOM format.

Supply Chain — End-to-end process of creating and distributing software.

T-Z

Threat — Malicious or suspicious activity that could compromise security.

Threat Intelligence — Data and analysis about current and potential threats.

TLS/SSL — Cryptographic protocols for secure network communication.

Typosquatting — Registering package names similar to popular packages to trick users.

Vulnerability — Security weakness that could be exploited to cause harm.

Zero-day — Vulnerability unknown to vendor; exploitable before patch availability.

CleanStart-Specific Terms

cleanimg-customize — Declarative CLI tool (v0.3.0) that generates multi-stage Dockerfiles from YAML specs (IncrementalSpec) for customizing CleanStart images. Supports package installation, artifact injection, config files, user management, and resource hints. Distributed as a container image.

cleanimg-init — Setup tool for initializing CleanStart projects and security scanning.

CleanStart Source Intelligence Core — Central intelligence system for supply chain security analysis.

clnstrt-cli — Docker-based CLI tool for DevOps workflows: analyze, build, push, scan, sign, verify, and manage container images and dependencies. The command-line binary is clnstrt. Separate from cleanimg (the Rust-based image builder).

Threat Remediation API — Programmatic API for vulnerability scanning and remediation guidance.

Quick Reference by Category

Vulnerability & Risk

CVE, CVSS, EPSS, KEV, NVD, GHSA, OSV, Severity, Zero-day

Supply Chain Security

SBOM, SLSA, Provenance, Attestation, Supply Chain, SCA, Malware, Backdoor

Container & Images

Base Image, Layer, Manifest, OCI, Registry, Distroless, Digest

Cryptography & Signing

Cosign, PGP/GPG, Signature, TLS/SSL, FIPS, CA Certificate

Scanning & Analysis

Scanner, Trivy, SAST, Linting, Fuzzing, Taint Analysis

Threat Intelligence

Threat, Threat Intelligence, MITRE ATT&CK, ATLAS, IOCs, STIX

Kubernetes & DevOps

Kubernetes, Helm, Namespace, Pod, Service, Ingress

CleanStart Platform

clnstrt-cli, cleanimg, cleanimg-init, cleanimg-customize, Threat Remediation API, CleanStart Source Intelligence Core (CleanStart Verified Source)

Last Updated: January 2024 Contact: support@cleanstart.dev