$crond.io

Security

Every release artifact is checksum-mandatory and signed with a keyless cosign certificate bound to the release workflow's OIDC identity. Tooling is optional; the guarantees stay the same whether you check them or not — but checking them is a one-line command.

What ships with every release

  • checksums.txt — SHA-256 for every archive, deb, rpm
  • checksums.txt.sig + checksums.txt.pem — cosign keyless signature and X.509 certificate
  • One <artifact>.tar.gz.sbom.json per platform — Syft-generated SBOM with full dependency inventory
  • Multi-arch Docker manifest at ghcr.io/platops-security/crond-io/agent:<version> — signed with the same keyless identity

Verify checksum (always present)

The install script does this automatically. If you downloaded manually:

VERSION=0.2.0
curl -sSfLO "https://github.com/platops-security/crond-io/releases/download/v${VERSION}/checksums.txt"
sha256sum --ignore-missing -c checksums.txt

Verify cosign signature (strongest)

Requires the cosign CLI. The signature is bound to the GitHub Actions workflow that built the release — a leaked GITHUB_TOKEN alone can't forge a valid signature; an attacker would need to run this exact workflow on this repo.

VERSION=0.2.0
REPO=platops-security/crond-io

curl -sSfLO "https://github.com/${REPO}/releases/download/v${VERSION}/checksums.txt"
curl -sSfLO "https://github.com/${REPO}/releases/download/v${VERSION}/checksums.txt.sig"
curl -sSfLO "https://github.com/${REPO}/releases/download/v${VERSION}/checksums.txt.pem"

cosign verify-blob \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity "https://github.com/${REPO}/.github/workflows/release-agent.yml@refs/tags/v${VERSION}" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  checksums.txt

Expected output: Verified OK.

Mandatory verification at install time

Set INSTALL_REQUIRE_SIG=1 to make the install script abort if cosign isn't present or the signature can't be verified:

curl -sSfL https://get.crond.io | INSTALL_REQUIRE_SIG=1 sh

The CI smoke test in the project's own GitHub Actions runs installs this way on every PR that touches install.sh, so a future drift in the signing identity is caught before it reaches users.

Verify the Docker image signature

cosign verify \
  --certificate-identity 'https://github.com/platops-security/crond-io/.github/workflows/release-agent.yml@refs/tags/v0.2.0' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/platops-security/crond-io/agent:0.2.0

SBOMs

Each platform tarball ships with a Syft-generated CycloneDX SBOM as a sibling .sbom.json on the GitHub release. Feed it to your vulnerability scanner of choice (Grype, Trivy, Snyk) without re-running the build:

VERSION=0.2.0
curl -sSfLO "https://github.com/platops-security/crond-io/releases/download/v${VERSION}/crond-agent_${VERSION}_linux_amd64.tar.gz.sbom.json"
grype sbom:crond-agent_${VERSION}_linux_amd64.tar.gz.sbom.json

Privacy: what gets sent to crond.io

By default the agent ships the wrapped command's stdout/stderr in the ping payload alongside the exit code and duration. Two knobs control that — both in /etc/crond-agent/config.yaml or via env vars:

Config keyEnv varWhat it does
capture_outputCROND_CAPTURE_OUTPUTSet false to drop stdout/stderr from the payload entirely
redact_patternsCROND_REDACT_PATTERNSGo regexps applied line-buffered to captured streams; matches become [REDACTED]

The host stdout/stderr passthrough (visible to kubectl logs, /var/log/cron) is never redacted — that stream stays raw for local debugging. Only the cross-host payload is filtered.

See CLI Usage for working redact_patterns examples.