Beyond Container CVE Analysis: A GitOps-Based Attestation and Sandbox Framework for Container Supply Chains

As software supply chain accelerate through DevOps automation and continuous delivery, container images have become the primary vector for both application development and security compromise. While static vulnerability scanners can detect known CVEs, they are unable to uncover zero-day malware or runtime threats- particularly in container images sourced from public registries, which are maintained by individual contributors of varying intent and trustworthiness. In this paper, we introduce a GitOps-drive sandboxing framework for proactive and tamper-resistant container image attestation, addressing the urgent need for deeper analysis before deployment. Our approach combines static vulnerability detection with dynamic behavioral inspection using gVisor-based sandboxing. Through filesystem analysis, system call tracing, and network activity monitoring, the framework identifies malicious patterns and anomalies. Adopting this framework will empower developers and security teams to enforce stronger trust guarantees even in the absence of SBOMs or SLSA levels. This framework lays the foundations for a resilient, trustworthy software delivery at scale in compliance with NIST SP 800-218 and ISO/IEC 27001 standards.