# Kedify FIPS 140-3 Attestation

<table class="meta">
<tbody>
<tr><th>Release:</th><td><code>kedify/keda@v2.19.0-3</code></td></tr>
<tr><th>Commit:</th><td><code>79b3304361521e5c8587e8af22f53d27027bb6bf</code></td></tr>
<tr><th>Generated date:</th><td><code>2026-05-18T09:18:42Z</code></td></tr>
</tbody>
</table>

## Summary

This document is a vendor self-attestation for the hardened container image variants published by Kedify in the release identified above. It describes the FIPS 140-3 cryptographic posture of those images for procurement teams and security questionnaires.

The cryptographic module embedded in Kedify binaries is the Go Cryptographic Module, and its CMVP status is [tracked by the upstream Go team](https://go.dev/security/fips140). The claim is FIPS Inside: each hardened Kedify binary embeds the validated module and routes approved cryptographic operations through it.

## Cryptographic module

| Item | Value |
| --- | --- |
| Module name | Go Cryptographic Module |
| Module version | `v1.0.0` |
| FIPS standard | FIPS 140-3 |
| CMVP status | Tracked at <https://go.dev/security/fips140> |
| Build flag (Go) | `GOFIPS140=v1.0.0` |
| Required Go version | 1.24 or later |
| External dependencies | None. The module is statically compiled into each Kedify binary. |

The CMVP cert state for the Go Cryptographic Module changes as it moves through validation. The link above is the source of truth at any given moment.

<div class="page-break"></div>

## Images in scope

The following images embed the Go FIPS 140-3 module and carry the OCI labels `io.kedify.crypto.module=go-fips140` and `io.kedify.crypto.version=v1.0.0`:

<table class="image-block">
<tr><th>Image:</th><td><code>ghcr.io/kedify/keda-admission-webhooks</code></td></tr>
<tr><th>Tag:</th><td><code>v2.19.0-3-hardened</code></td></tr>
<tr><th>Digest:</th><td><code>sha256:c8f03cd4a56e8d3eb23381c9357e582a5d30fac344f351759aef4c40dfdaa18c</code></td></tr>
</table>

<table class="image-block">
<tr><th>Image:</th><td><code>ghcr.io/kedify/keda-metrics-apiserver</code></td></tr>
<tr><th>Tag:</th><td><code>v2.19.0-3-hardened</code></td></tr>
<tr><th>Digest:</th><td><code>sha256:4549391b50b01573e152825e4f4f92d044a399e59b19f20b812abb6e4bcbebfb</code></td></tr>
</table>

<table class="image-block">
<tr><th>Image:</th><td><code>ghcr.io/kedify/keda-operator</code></td></tr>
<tr><th>Tag:</th><td><code>v2.19.0-3-hardened</code></td></tr>
<tr><th>Digest:</th><td><code>sha256:400e38f1bff737fb4f7d6be971d71f58245fa7fb898993e46e3caf91288723d2</code></td></tr>
</table>

Manifest digests above are pinned to this release. They will not change for this tag; a future release of the same image will publish a new digest under its own tag.

<div class="page-break"></div>

## Build evidence

For every hardened binary built for this release, `go version -m` reports the FIPS module is linked. The exact build settings are:

```
keda-admission-webhooks-hardened-amd64_linux_amd64_v1/keda-admission-webhooks-hardened:
	build	-buildmode=exe
	build	CGO_ENABLED=0
	build	GOARCH=amd64
	build	GOFIPS140=v1.0.0-c2097c7c
	build	GOOS=linux

keda-admission-webhooks-hardened-arm64_linux_arm64/keda-admission-webhooks-hardened:
	build	-buildmode=exe
	build	CGO_ENABLED=0
	build	GOARCH=arm64
	build	GOFIPS140=v1.0.0-c2097c7c
	build	GOOS=linux

keda-metrics-apiserver-hardened-amd64_linux_amd64_v1/keda-metrics-apiserver-hardened:
	build	-buildmode=exe
	build	CGO_ENABLED=0
	build	GOARCH=amd64
	build	GOFIPS140=v1.0.0-c2097c7c
	build	GOOS=linux

keda-metrics-apiserver-hardened-arm64_linux_arm64/keda-metrics-apiserver-hardened:
	build	-buildmode=exe
	build	CGO_ENABLED=0
	build	GOARCH=arm64
	build	GOFIPS140=v1.0.0-c2097c7c
	build	GOOS=linux

keda-operator-hardened-amd64_linux_amd64_v1/keda-operator-hardened:
	build	-buildmode=exe
	build	CGO_ENABLED=0
	build	GOARCH=amd64
	build	GOFIPS140=v1.0.0-c2097c7c
	build	GOOS=linux

keda-operator-hardened-arm64_linux_arm64/keda-operator-hardened:
	build	-buildmode=exe
	build	CGO_ENABLED=0
	build	GOARCH=arm64
	build	GOFIPS140=v1.0.0-c2097c7c
	build	GOOS=linux

```

<div class="page-break"></div>

## Signing

Kedify signs this attestation document and the hardened container manifests listed above with a Cosign static keypair. The public key is published at <https://docs.kedify.io/kedify-cosign.pub>.

Verify the attestation document:

```sh
cosign verify-blob --key https://docs.kedify.io/kedify-cosign.pub \
  --signature kedify-fips-attestation-v2.19.0-3.md.sig kedify-fips-attestation-v2.19.0-3.md
```

Verify each hardened image manifest:

```sh
cosign verify --key https://docs.kedify.io/kedify-cosign.pub   ghcr.io/kedify/keda-admission-webhooks:v2.19.0-3-hardened

cosign verify --key https://docs.kedify.io/kedify-cosign.pub   ghcr.io/kedify/keda-metrics-apiserver:v2.19.0-3-hardened

cosign verify --key https://docs.kedify.io/kedify-cosign.pub   ghcr.io/kedify/keda-operator:v2.19.0-3-hardened
```

The signature establishes that the document or image was published by Kedify. The validated module's lab attestation is the upstream Go Cryptographic Module's CMVP record, linked above.

## Reporting and contact

Security findings related to this attestation should be sent to <support@kedify.io>.

## References

- Go Cryptographic Module CMVP status: <https://go.dev/security/fips140>
- Go FIPS 140-3 documentation: <https://go.dev/doc/security/fips140>
- Kedify FIPS compliance page: <https://docs.kedify.io/security-and-compliance/fips/>
- NIST CMVP program: <https://csrc.nist.gov/projects/cryptographic-module-validation-program>