This repository contains the Helm chart for deploying DevGuard, a security and vulnerability management platform, on Kubernetes clusters.
Get started by following the installation instructions in the DevGuard documentation.
You can find the default configuration values in the values.yaml file. Customize these values as needed for your deployment.
For api.image, web.image, and postgresql.image, the chart supports both:
- Full image string (for example
ghcr.io/l3montree-dev/devguard:0.13.0orghcr.io/l3montree-dev/devguard@sha256:...) - Object format with
repository,tag, optionaldigest, andpullPolicy
When digest is set in object format, it is preferred over tag and rendered as repository@digest.
The chart includes an optional Kyverno policy for supply chain security. Enable it with:
kyvernoPolicy:
enabled: true
validationFailureAction: Enforce # or AuditThe policy enforces three rules on all Pods in the namespace:
| Rule | Image | Verification |
|---|---|---|
verify-devguard-images |
ghcr.io/l3montree-dev/devguard* |
Cosign signature + SLSA provenance attestation |
verify-kratos-image |
oryd/kratos* |
Cosign signature |
verify-otel-collector-image |
otel/opentelemetry-collector-contrib* |
Keyless signature (GitHub Actions OIDC) |
For DevGuard images, the policy additionally verifies the SLSA provenance attestation and checks that:
- The builder ID is
devguard.org - The image was built from
https://github.com/l3montree-dev/devguard - The commit was authored by a known maintainer
See tests/kyverno/README.md for instructions on running the policy tests locally.