A container-hardening pipeline that took an uptime-kuma image from 507 to 0 OS- and runtime-layer CVEs. Uses Chainguard’s dfc and Wolfi-based images, syft and grype for SBOM generation and scanning, and cosign for keyless signing via the GitHub OIDC → Fulcio → Rekor chain.