Sign up
For engineers

Docs, the short kind.

Enough to understand Sekyr in 20 minutes; enough to integrate it in an afternoon.

Documentation

Overview

Sekyr is a container registry. You change one thing, the registry URL in your manifests, and every image pulled through Sekyr is instrumented at pull time with a lightweight runtime supervisor baked for that specific workload.

The design goal is an uninteresting one: make production containers default‑safe without anyone having to think about it.

Principle. Everything Sekyr does happens at registry pull time. There is no cluster component and no long‑running daemon. Once an image is pulled and cached, your containers run with the supervisor and policy baked in. They have no dependency on Sekyr being reachable at runtime.

Quickstart

Authenticate once, then prefix any image reference with sekyr.cloud/.

# 1. Authenticate
docker login sekyr.cloud -u user -p password:apikey

# 2. Prefix any image
#    Before
image: nginx:1.27

#    After
image: sekyr.cloud/nginx:1.27

Regional and registry‑specific aliases let you keep multiple saved logins side by side in your docker config:

aws.sekyr.cloud/…
gcp.sekyr.cloud/…
dockerhub.sekyr.cloud/…
gitlab.sekyr.cloud/…
github.sekyr.cloud/…

On the first pull, Sekyr will:

  • Fetch the upstream image from its source of truth.
  • Run a short profile pass in an isolated sandbox to observe normal behaviour.
  • Produce a rewritten image, signed and attested, and cache it on the CDN nearest to your cluster.

Subsequent pulls of the same digest return instantly from cache.

Core concepts

Supervisor

A small static binary injected as PID 1. It replaces your original entrypoint with itself, runs your process as a child, and enforces the policy profile. There is no running daemon and no long‑lived network surface; container resources are only touched when an event fires.

Policy profile

A declarative description of the syscalls, file paths, and egress destinations a workload is allowed to use. Profiles start from a high‑confidence default derived from the image and are refined by your team through pull requests.

Envelope

A profile + the observed runtime behaviour that backs it. Drift is any syscall, file access, or network connection outside the envelope, and every drift event is surfaced with call‑site context, not just a PID and an errno.

Supported registries

Sekyr supports any registry that implements the OCI Distribution Spec. We actively test against:

  • GHCR, Docker Hub, Quay
  • Amazon ECR (public and private)
  • Google Artifact Registry, Azure Container Registry
  • Harbor, JFrog Artifactory, GitLab Container Registry

Kubernetes

The simplest integration is a single imagePullPolicy change in your manifests. For fleet‑wide adoption we recommend the Sekyr admission webhook, which rewrites images at admission based on namespace labels, so you never have to touch a manifest.

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    sekyr.cloud/enforce: "true"
spec:
  template:
    spec:
      containers:
        - name: api
          image: ghcr.io/acme/api:1.14   # rewritten at admission

Amazon ECS

ECS task definitions can point at sekyr.cloud directly. For cross‑account ECR pulls you'll need to grant the Sekyr worker role access; the full IAM policy is in the reference appendix.

CI pipelines

You can run Sekyr against images in CI to produce a signed, policy‑baked artifact before anything touches production. This is the pattern most of our customers use.

Writing policies

Policies are YAML. The default policy for every workload is generated for you; you only write YAML when you want to override or constrain the default.

apiVersion: policy.sekyr.cloud/v1
kind: Policy
metadata:
  name: api-default
spec:
  syscalls:
    default: allowlist
    extra: [pidfd_open]
  filesystem:
    writable: ["/tmp", "/run"]
  egress:
    - dest: postgres.internal:5432
    - dest: "*.s3.eu-west-1.amazonaws.com:443"

Enforcement modes

Each policy can be set to one of three modes:

  • observe: record drift, do not block. Used when onboarding a workload.
  • warn: drift is allowed but the supervisor emits a high‑severity event.
  • enforce: drift is blocked at the syscall boundary. This is the production default.

Egress rules

Sekyr ships a DNS‑aware egress filter that can operate on hostnames (with DNSSEC validation), IP ranges, or certificate fingerprints. Rules are first‑match; default is deny.

Event streaming

Every runtime decision is a structured event: the workload, the rule, the outcome, the call site. Events stream in near real time to any destination speaking OTLP, AWS Kinesis, or plain old syslog‑over‑TLS.

SBOM & attestations

Every rewritten image ships with a typed SPDX 3.0 SBOM and a cosign‑signed attestation bundle. You can verify the attestation chain using standard tooling, no Sekyr client required.

Audit & compliance

Compliance is a view over the event stream. GDPR and NIS2 packs ship by default, with SOC 2 on the way as we complete our own audit. Evidence is generated on demand and signed at generation time. Sekyr is operated by a Norwegian company under Norwegian law, with our GDPR representative for the EEA named in the Security Policy.