genesis-{ops|platform}-{ver}.tar.zst
Zarf bundle. Contains the Helm chart and every container image as OCI archives. Un-tar with zstd -d if you reject Zarf.
Genesis Downloads · Scan the bundle
Scan the bundle with your existing tools
Genesis ships scannable artifacts — CycloneDX SBOM, cosign keyless signatures, sha256 checksums, HIPAA attestation PDF, rendered Helm manifests. We do not ship a scanner, a registry, an admission policy, or a runtime agent. Use the tools you already operate.
What you receive per release
{bundle}.tar.zst.cosign.bundle
Keyless cosign signature, rooted in the public Sigstore TUF root. Verify offline with a TUF mirror or the pre-fetched trust root.
{bundle}.tar.zst.sha256
SHA-256 checksum. Verify with sha256sum -c after sneakernet to catch transit corruption.
sbom-{ver}.cdx.json
CycloneDX 1.5 SBOM. Every container layer + OS package + Python wheel. Most scanners read it directly — no extraction required.
hipaa-attestation-{ver}.pdf
Signed PDF enumerating every change since the previous release that touches PHI handling, encryption, audit logging, or access control.
release-notes-{ver}.md
Plain-text changelog. Pull it into your change-management ticket before the bundle crosses the air-gap.
Pre-deploy — gap-host scanning, before bundles cross the air-gap
-
01
Verify the cosign signature.
Rooted in public Sigstore TUF. If this fails, the bundle does not cross the boundary.
cosign verify-blob \ --bundle genesis-platform-{ver}.tar.zst.cosign.bundle \ --certificate-identity-regexp 'https://dev.azure.com/autonomize-sprint/.*' \ --certificate-oidc-issuer 'https://app.vstoken.visualstudio.com' \ genesis-platform-{ver}.tar.zst -
02
Vulnerability scan the SBOM.
Trivy, Grype, Snyk, Black Duck, Mend — all read CycloneDX SBOM directly. Pick yours; gate on your CVE policy.
trivy sbom ./sbom-{ver}.cdx.json --severity CRITICAL,HIGH --exit-code 1 grype sbom:./sbom-{ver}.cdx.json --fail-on high snyk sbom test --file=./sbom-{ver}.cdx.json --severity-threshold=high -
03
Per-image scanning (if your scanner needs image archives).
Aqua, Twistlock, Prisma Cloud prefer to scan image archives directly. Extract them from the bundle and feed your scanner.
zarf package inspect genesis-platform-{ver}.tar.zst # list images zarf tools registry copy oci://./genesis-platform-{ver}.tar.zst dir:./images/ for img in ./images/*; do trivy image --input "$img" --severity HIGH,CRITICAL --exit-code 1 done -
04
Helm chart misconfiguration scanning.
Render manifests offline, run them through Kubescape / Polaris / Datree / OPA Gatekeeper / Kyverno / your in-house rego.
zarf package inspect genesis-platform-{ver}.tar.zst --extract-helm \ > rendered-manifests.yaml kubescape scan rendered-manifests.yaml --framework nsa,mitre,cis-eks polaris audit --audit-path rendered-manifests.yaml conftest test rendered-manifests.yaml --policy ./your-rego-policies/ -
05
License + secret scanning.
FOSSA, Black Duck, Mend ingest the SBOM directly for license analysis. gitleaks / trufflehog over the rendered manifests catch accidental secrets — Genesis manifests contain none, but check anyway.
fossa sbom analyze sbom-{ver}.cdx.json gitleaks detect --no-git --source ./rendered-manifests.yaml
Post-deploy — once images land in your registry
Registry-side scanning
Harbor (Trivy), Azure Defender for Containers, AWS Inspector v2, Google Container Analysis, Nexus IQ, JFrog Xray — whichever your registry runs — scans on every push automatically. We don't configure this; your registry policy does.
Admission policy
Kyverno or OPA Gatekeeper gates what runs. Common rules: only images from your registry, only images cosign-signed by Sigstore identity matching the AzDO release pipeline, runAsNonRoot, readOnlyRootFilesystem.
Runtime detection
Aqua, Sysdig, Falco, Wiz, Orca, Prisma Cloud watch running pods. Genesis pods conform to PodSecurityStandards restricted; preflight's secpolicies check verifies before install.
Without Zarf — the alternate path
If your security team blocks Zarf (mutating webhook policy, vendor risk review, approved-tools list), the same scanning flow works on the plain artifacts. Un-tar manually and feed your existing pipeline.
# Un-tar the bundle (zstd → tar)
zstd -d genesis-platform-{ver}.tar.zst -o genesis-platform-{ver}.tar
mkdir extracted && tar -xf genesis-platform-{ver}.tar -C extracted/
# Mirror images to your registry with skopeo (no Zarf)
for img in extracted/images/*; do
skopeo copy oci-archive:"$img" \
docker://your-acr.azurecr.io/$(basename "$img" .tar)
done
# Install with helm directly
helm install genesis ./extracted/charts/genesis-{ver}.tgz \
-f your-values.yaml \
--set global.imageRegistry=your-acr.azurecr.io \
-n genesis --create-namespaceEvery scanning step on this page still applies — they operate on the SBOM, the cosign bundle, the rendered manifests, and the image archives, none of which are Zarf-specific.
What Genesis does not ship
No vulnerability scanner
Use yours — Trivy, Grype, Snyk, Black Duck, Mend, Aqua, Twistlock, Prisma Cloud, Wiz. Every one of them reads our SBOM or our image archives.
No container registry
Use yours — Harbor, Azure ACR, AWS ECR, Google Artifact Registry, Nexus, Artifactory. Zarf (or skopeo on the alternate path) pushes images into it.
No admission controller
Use yours — Kyverno, OPA Gatekeeper, Datree. Genesis manifests already comply with the standard restricted PodSecurity profile, so your policies should pass.
No runtime agent
Use yours — Aqua, Sysdig, Falco, Wiz, Orca, Prisma Cloud. Genesis adds nothing to the runtime layer; whatever you run keeps running.
No license scanner
Use yours — FOSSA, Black Duck, Mend. Genesis dependencies are restricted to MIT / Apache-2.0 only; no copyleft surprises.
No SIEM integration
Your scanners' existing pipes carry it. Genesis emits structured logs and Prometheus metrics; your collector ingests them.
Where to go next
Install guide →
The seven-step install runbook from license-key handover to walking the wizard.
Air-gap workflow →
The exact sneakernet path: gap-host pulls, sidecar manifests, cluster-side ingest.
Already onboarded?
Sign in to see the latest releases entitled to your organisation, rotate keys, view the audit log.