# Kedify FIPS 140-3 Attestation

<table class="meta">
<tbody>
<tr><th>Release:</th><td><code>kedify/http-add-on@v0.11.1-4</code></td></tr>
<tr><th>Commit:</th><td><code>6d66d9aa4a51a10158844abf378e7298ebd34ba6</code></td></tr>
<tr><th>Generated date:</th><td><code>2026-05-15T12:04:14Z</code></td></tr>
</tbody>
</table>

## Summary

This document is a vendor self-attestation for the hardened container image variants published by Kedify in the release identified above. It describes the FIPS 140-3 cryptographic posture of those images for procurement teams and security questionnaires.

The cryptographic module embedded in Kedify binaries is the Go Cryptographic Module, and its CMVP status is [tracked by the upstream Go team](https://go.dev/security/fips140). The claim is FIPS Inside: each hardened Kedify binary embeds the validated module and routes approved cryptographic operations through it.

## Cryptographic module

| Item | Value |
| --- | --- |
| Module name | Go Cryptographic Module |
| Module version | `v1.0.0` |
| FIPS standard | FIPS 140-3 |
| CMVP status | Tracked at <https://go.dev/security/fips140> |
| Build flag (Go) | `GOFIPS140=v1.0.0` |
| Required Go version | 1.24 or later |
| External dependencies | None. The module is statically compiled into each Kedify binary. |

The CMVP cert state for the Go Cryptographic Module changes as it moves through validation. The link above is the source of truth at any given moment.

<div class="page-break"></div>

## Images in scope

The following images embed the Go FIPS 140-3 module and carry the OCI labels `io.kedify.crypto.module=go-fips140` and `io.kedify.crypto.version=v1.0.0`:

<table class="image-block">
<tr><th>Image:</th><td><code>ghcr.io/kedify/http-add-on-interceptor</code></td></tr>
<tr><th>Tag:</th><td><code>v0.11.1-4-hardened</code></td></tr>
<tr><th>Digest:</th><td><code>sha256:e34a4830f9f8971e7415fa133de241cf6b331a270779820df60a29a0d0069997</code></td></tr>
</table>

<table class="image-block">
<tr><th>Image:</th><td><code>ghcr.io/kedify/http-add-on-operator</code></td></tr>
<tr><th>Tag:</th><td><code>v0.11.1-4-hardened</code></td></tr>
<tr><th>Digest:</th><td><code>sha256:496edc296bef76cb1b1e21aed336bc52c2a7b0f80838707fc16fbda35db5f405</code></td></tr>
</table>

<table class="image-block">
<tr><th>Image:</th><td><code>ghcr.io/kedify/http-add-on-scaler</code></td></tr>
<tr><th>Tag:</th><td><code>v0.11.1-4-hardened</code></td></tr>
<tr><th>Digest:</th><td><code>sha256:81b69bd7f182678d40f14e82bf770f0ef4d0aa9a1a8638ec781620b05c8a57e8</code></td></tr>
</table>


Manifest digests above are pinned to this release. They will not change for this tag; a future release of the same image will publish a new digest under its own tag.

<div class="page-break"></div>

## Build evidence

For every hardened binary built for this release, `go version -m` reports the FIPS module is linked. The exact build settings are:

```
interceptor-hardened-amd64_linux_amd64_v1/interceptor:
	build	-buildmode=exe
	build	CGO_ENABLED=0
	build	GOARCH=amd64
	build	GOFIPS140=v1.0.0
	build	GOOS=linux
	build	vcs.revision=6d66d9aa4a51a10158844abf378e7298ebd34ba6

interceptor-hardened-arm64_linux_arm64/interceptor:
	build	-buildmode=exe
	build	CGO_ENABLED=0
	build	GOARCH=arm64
	build	GOFIPS140=v1.0.0
	build	GOOS=linux
	build	vcs.revision=6d66d9aa4a51a10158844abf378e7298ebd34ba6

operator-hardened-amd64_linux_amd64_v1/operator:
	build	-buildmode=exe
	build	CGO_ENABLED=0
	build	GOARCH=amd64
	build	GOFIPS140=v1.0.0
	build	GOOS=linux

operator-hardened-arm64_linux_arm64/operator:
	build	-buildmode=exe
	build	CGO_ENABLED=0
	build	GOARCH=arm64
	build	GOFIPS140=v1.0.0
	build	GOOS=linux

scaler-hardened-amd64_linux_amd64_v1/scaler:
	build	-buildmode=exe
	build	CGO_ENABLED=0
	build	GOARCH=amd64
	build	GOFIPS140=v1.0.0
	build	GOOS=linux
	build	vcs.revision=6d66d9aa4a51a10158844abf378e7298ebd34ba6

scaler-hardened-arm64_linux_arm64/scaler:
	build	-buildmode=exe
	build	CGO_ENABLED=0
	build	GOARCH=arm64
	build	GOFIPS140=v1.0.0
	build	GOOS=linux
	build	vcs.revision=6d66d9aa4a51a10158844abf378e7298ebd34ba6
```

<div class="page-break"></div>

## Signing

Kedify signs this attestation document and the hardened container manifests listed above with a Cosign static keypair. The public key is published at <https://docs.kedify.io/kedify-cosign.pub>.

Verify the attestation document:

```sh
cosign verify-blob --key https://docs.kedify.io/kedify-cosign.pub \
  --signature kedify-fips-attestation-v0.11.1-4.md.sig kedify-fips-attestation-v0.11.1-4.md
```

Verify each hardened image manifest:

```sh
cosign verify --key https://docs.kedify.io/kedify-cosign.pub   ghcr.io/kedify/http-add-on-interceptor:v0.11.1-4-hardened

cosign verify --key https://docs.kedify.io/kedify-cosign.pub   ghcr.io/kedify/http-add-on-operator:v0.11.1-4-hardened

cosign verify --key https://docs.kedify.io/kedify-cosign.pub   ghcr.io/kedify/http-add-on-scaler:v0.11.1-4-hardened
```

The signature establishes that the document or image was published by Kedify. The validated module's lab attestation is the upstream Go Cryptographic Module's CMVP record, linked above.

## Reporting and contact

Security findings related to this attestation should be sent to <support@kedify.io>.

## References

- Go Cryptographic Module CMVP status: <https://go.dev/security/fips140>
- Go FIPS 140-3 documentation: <https://go.dev/doc/security/fips140>
- Kedify FIPS compliance page: <https://docs.kedify.io/security-and-compliance/fips/>
- NIST CMVP program: <https://csrc.nist.gov/projects/cryptographic-module-validation-program>