Buildah Security

Control	Status	Notes
Rootless builds enabled	☐	User namespaces configured
Build host isolated	☐	Separate from production
Build cache secured	☐	Proper permissions, regular cleanup
No privileged builds	☐	Unless absolutely necessary
Dockerfiles linted	☐	hadolint in CI/CD
Base images pinned	☐	By digest, no `latest`
Build context scanned	☐	gitleaks/trufflehog
Images signed	☐	cosign with key or keyless
Signature policy enforced	☐	policy.json configured
Build provenance recorded	☐	SLSA attestation
Only trusted registries	☐	Insecure registries disabled
CI/CD secured	☐	Secrets protected
Images scanned	☐	Trivy before push
Build activity audited	☐	auditd configured

¶ Buildah Security & Hardening