Facet
Cryptographically sealed manifests for logical slices of container images.
Purpose
The Facet Sealing subsystem provides cryptographically sealed manifests for logical slices of container images, enabling fine-grained drift detection, per-facet quota enforcement, and deterministic change tracking.
Quick Links
- Architecture - Technical design and implementation details
Status
| Attribute | Value |
|---|---|
| Maturity | Production |
| Last Reviewed | 2025-12-29 |
| Maintainer | Scanner Guild, Policy Guild |
Key Features
- Facet Types: OS packages, language dependencies, binaries, configs, custom patterns
- Cryptographic Sealing: Each facet can be individually sealed with a cryptographic snapshot
- Drift Detection: Monitor changes between seals for compliance enforcement
- Merkle Tree Structure: Content-addressed storage with integrity verification
Dependencies
Upstream (this module depends on)
- Scanner - Facet extraction during image analysis
- Attestor - DSSE signing for sealed facets
Downstream (modules that depend on this)
- Policy - Drift detection and quota enforcement
- Replay - Facet verification in replay workflows