Skip to main content

Secure builds made easy

Konflux is a trusted software factory, built from leading open source projects, that makes securing your container builds straightforward.

Your code deserves a factory, not a toolchain.

SOURCE CODE

Konflux Factory

Build · Sign · Scan · Attest

Tekton
Sigstore
Clair
SBOM

VERIFIED OUTPUT

SLSA L3
Signed

UNDER THE HOOD

Tour The Factory

Konflux integrates proven open source projects into a single software factory. Hover to explore each component.

Tekton

Kubernetes-native CI/CD pipeline engine that powers all Konflux build and test workflows with composable, reusable task definitions.

Sigstore

Keyless signing and transparency log for artifacts. Konflux signs every build output cryptographically — no private key management required.

Conforma (EC)

Enterprise Contract policy engine that validates container images against SLSA, supply chain, and custom organizational policies before release.

Clair

Vulnerability scanner that analyzes container images for known CVEs and produces severity reports with remediation guidance.

Buildah

Daemonless, rootless container image builder. Produces OCI-compliant images from Dockerfiles or scratch — no running daemon needed.

SPDX / CycloneDX

Konflux generates SBOMs in these industry-standard formats for every build — a complete inventory of all software components in your artifact.

Renovate

Automated dependency update bot that keeps your build pipelines and component references current with the latest secure versions.

Hermetic Builds

Network-isolated build environments that strengthen reproducibility and prevent undeclared dependencies by blocking external fetches at build time.

Release Service

Managed release pipelines that orchestrate promotion, gating, and deployment across environments, with a full audit trail for every released artifact.

In-Toto Attestations

SLSA-compliant provenance attestations that cryptographically link every artifact to its source, builder, and build steps.

WHY KONFLUX

The secure CI/CD platform that scales as fast as your code.

Are fragmented tools slowing you down? Are security gaps keeping you up at night? Konflux brings it all under one roof.

Automation (general) illustrationautomation, infrastructure technology, software, conveyor belt
CI/CD Automation

Build container images and other artifacts from source. Automate builds, tests, and releases with repeatable, dependable outcomes.

Security 2security, secure, private, privacy, clouds, lines, nodes, monitor, code
Securely Sign

Generate secure, detailed provenance — an immutable record of what happened during every build step.

Trusted software supply chain
Supply chain safeguards

Verify container images against frameworks like SLSA and your own custom organizational policies.

Collaboration (co-workers) illustrationco-workers, collaboration, team, brainstorming, research, notes, data, checklist
Open source, community driven

Built in the open with transparent roadmaps, shared governance, and active contributors.

HOW IT WORKS

The Konflux code lifecycle

Explore the lifecycle of a secure build produced by Konflux

Bring your codeAny git source
Hermetic buildsIsolated environments
CVE scan & SBOMAnalyze artifacts
Signed provenanceTamper-evident record
Verify artifactsConforma policies
Code releasedDeployed to prod

Step 1 of 6

Bring your code from any git source

Connect your git repository to Konflux. Select from tailored trusted build pipelines for your artifact type and customize them to fit your needs — all driven by a simple build configuration.

GitHub, GitLab, & Forgejo integration
Tailored build pipelines per artifact type
Support for monorepos and multi-component apps

Bring your code, we'll secure the rest

Connect any git repository, select a build pipeline, and Konflux handles the rest — building, scanning, generating SBOMs, and signing provenance for every artifact.