v0.4.2regionus-east-1builds/7d41pipeline active

FLA / PUBLIC BETA

catalog/auth/authentik

VERIFIEDSLSA L3NEVER REBUILT·FLA-2026-0003

AUTHENTIK

v2024.4.1

Open-source identity provider with OIDC and SAML.

by goauthentik·sso · oidc · saml · python

TRUST SCORE

SLSA LEVEL

CVE FINDINGS

LAST REBUILD

48h

TRUST SCORE BREAKDOWN

How 94 adds up.

methodology →

VULNERABILITY POSTURE

+36/ 40

0 critical, 0 high — full credit

SLSA ATTESTATION

+25/ 25

L3 provenance level

SIGNATURE CHAIN

+20/ 20

cosign keyless · Rekor logged

SBOM COMPLETENESS

+13/ 15

CycloneDX 1.5 · all components

Per-component contribution to the 94 headline.methodology →

02RECEIPTS

Three independent proofs. Hash-linked. Public.

Every module ships with three cryptographic receipts you can run against public Sigstore infrastructure. Below is exactly what flareo verify authentik outputs.

cosign verify · signature + identity

PASS

$ cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --certificate-identity-regexp '.*flareo/build.*' \ ghcr.io/flareo/authentik@sha256:b7c8d9e0f1a2 Verification for ghcr.io/flareo/authentik@sha256:b7c8d9e0f1a2 ✓ The cosign claims were validated ✓ The code signatures are valid for existing certificates ✓ Existence of the claims in the transparency log was verified offline ✓ The certificate issuer URL matches Flareo's build pipeline [rekor entry: f1a2b7c8d9e0f1a2...9e0f1a2] [signer: flareo-bot@github/flareo/build.yml@refs/heads/main]

03DEPLOY · WHAT YOU WALK AWAY WITH

Real takeaway artifacts. Yours to keep.

Every output references the verified sha256 digest, not the mutable tag — your deploy stays on the exact image you trusted, even if upstream repoints :latest tomorrow. We don't host your deployment; we prepare it.

# Generated by flareo 0.4.2 — pinned to verified digest
# AUTHENTIK v2024.4.1 · trust 94/100 · SLSA L3
version: "3.9"

services:
  authentik:
    image: ghcr.io/flareo/authentik@sha256:b7c8d9e0f1a2
    container_name: authentik
    restart: unless-stopped
    ports:
      - "9000:9000"
    volumes:
      - ./data:/data
      - ./config:/etc/config:ro
    environment:
      ADMIN_TOKEN: ${ADMIN_TOKEN}
      DOMAIN: ${DOMAIN}
      SMTP_HOST: ${SMTP_HOST}
    healthcheck:
      test: ["CMD-SHELL", "curl -fsS http://localhost:9000/health || exit 1"]
      interval: 30s
      timeout: 5s
      retries: 3

# Verify the image before pulling:
#   cosign verify ghcr.io/flareo/authentik@sha256:b7c8d9e0f1a2…
#   --certificate-identity 'https://github.com/flareo/build/.github/workflows/canary-rebuild.yml@refs/heads/main'
#   --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'

No lock-in by design. These files run anywhere — your VPS, your Kubernetes cluster, a homelab NUC, an air-gapped lab. Flareo is not in your runtime path after you copy them out.

↓ DOWNLOAD .md BUNDLE

04SBOM

Every package, every version, every license.

CycloneDX 1.4 format. Downloadable as JSON or XML. When the next CVE lands, you can grep this file instead of guessing whether your image is affected.

SBOM META

format: CycloneDX 1.4
packages: 48
size: 210 KB
licenses: 6 unique

PACKAGE

VERSION

LICENSE

SIZE

tokio

1.36.0

MIT

420KB

rocket

0.5.0

MIT/Apache-2.0

180KB

diesel

2.1.4

MIT/Apache-2.0

96KB

Rebuild history

DAILY CANARY CHAIN

LAST REBUILT

never

awaiting first rebuild

SUCCESSES · 7D

fresh signed images

UNCHANGED · 7D

upstream didn't move

FAILURES · 7D

clean run

No rebuild attempts yet. The first daily canary run will appear here within 24 hours of this module being published.

Every module in the Flareo catalog is rebuilt daily from upstream source, rescanned for CVEs, and re-signed with cosign. If upstream hasn't changed, the existing signature stays valid. If a new critical CVE lands, the module flips to status: failing and the deploy panel surfaces the CVE list until upstream ships a fix.

Community reviews

FROM OPERATORS WHO USED IT

No ratings yet. When operators leave reviews, the average appears here alongside a histogram of the scores.

No reviews yet. Be the first to share how this module has worked for you.

SEE SOMETHING WRONG WITH THIS MODULE?

catalog/auth/authentik

VERIFIEDSLSA L3NEVER REBUILT·FLA-2026-0003

AUTHENTIK

v2024.4.1

Open-source identity provider with OIDC and SAML.

by goauthentik·sso · oidc · saml · python

TRUST SCORE

SLSA LEVEL

CVE FINDINGS

LAST REBUILD

48h

TRUST SCORE BREAKDOWN

How 94 adds up.

methodology →

VULNERABILITY POSTURE

+36/ 40

0 critical, 0 high — full credit

SLSA ATTESTATION

+25/ 25

L3 provenance level

SIGNATURE CHAIN

+20/ 20

cosign keyless · Rekor logged

SBOM COMPLETENESS

+13/ 15

CycloneDX 1.5 · all components

Per-component contribution to the 94 headline.methodology →

02RECEIPTS

Three independent proofs. Hash-linked. Public.

Every module ships with three cryptographic receipts you can run against public Sigstore infrastructure. Below is exactly what flareo verify authentik outputs.

cosign verify · signature + identity

PASS

03DEPLOY · WHAT YOU WALK AWAY WITH

Real takeaway artifacts. Yours to keep.

# Generated by flareo 0.4.2 — pinned to verified digest
# AUTHENTIK v2024.4.1 · trust 94/100 · SLSA L3
version: "3.9"

services:
  authentik:
    image: ghcr.io/flareo/authentik@sha256:b7c8d9e0f1a2
    container_name: authentik
    restart: unless-stopped
    ports:
      - "9000:9000"
    volumes:
      - ./data:/data
      - ./config:/etc/config:ro
    environment:
      ADMIN_TOKEN: ${ADMIN_TOKEN}
      DOMAIN: ${DOMAIN}
      SMTP_HOST: ${SMTP_HOST}
    healthcheck:
      test: ["CMD-SHELL", "curl -fsS http://localhost:9000/health || exit 1"]
      interval: 30s
      timeout: 5s
      retries: 3

# Verify the image before pulling:
#   cosign verify ghcr.io/flareo/authentik@sha256:b7c8d9e0f1a2…
#   --certificate-identity 'https://github.com/flareo/build/.github/workflows/canary-rebuild.yml@refs/heads/main'
#   --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'

No lock-in by design. These files run anywhere — your VPS, your Kubernetes cluster, a homelab NUC, an air-gapped lab. Flareo is not in your runtime path after you copy them out.

↓ DOWNLOAD .md BUNDLE

04SBOM

Every package, every version, every license.

CycloneDX 1.4 format. Downloadable as JSON or XML. When the next CVE lands, you can grep this file instead of guessing whether your image is affected.

SBOM META

format: CycloneDX 1.4
packages: 48
size: 210 KB
licenses: 6 unique

PACKAGE

VERSION

LICENSE

SIZE

tokio

1.36.0

MIT

420KB

rocket

0.5.0

MIT/Apache-2.0

180KB

diesel

2.1.4

MIT/Apache-2.0

96KB

Rebuild history

DAILY CANARY CHAIN

LAST REBUILT

never

awaiting first rebuild

SUCCESSES · 7D

fresh signed images

UNCHANGED · 7D

upstream didn't move

FAILURES · 7D

clean run

No rebuild attempts yet. The first daily canary run will appear here within 24 hours of this module being published.

Community reviews

FROM OPERATORS WHO USED IT

No ratings yet. When operators leave reviews, the average appears here alongside a histogram of the scores.

No reviews yet. Be the first to share how this module has worked for you.

SEE SOMETHING WRONG WITH THIS MODULE?