How-to guides

📄️How-to guides

Task-oriented guides — each solves one concrete problem against a running houba.

📄️Rebuild & harden an image

Place an image through the rebuild path: inject internal CA certs, rewrite package sources to an internal mirror, stamp the result, and optionally sign it.

📄️Attach a scan result

Ingest an upstream SARIF report as a signed OCI referrer with houba attach, using --fail-on as a severity CI gate.

📄️Inspect an image's SBOM

Find and fetch the SBOM referrer attached to a placed image, and enable CycloneDX alongside SPDX.

📄️Audit coverage

Find images that lack the stamp with houba audit, and gate CI on coverage, signing, or SBOM presence.

📄️Purge unused tags

The reference reaper: how marked tags get usage-gated and hard-deleted with houba purge, and how to wire your own usage oracle.

📄️GC superseded scan referrers

Reap stale scan referrers with houba gc, keeping the newest per (tool, format).

📄️Migrate off registry replication

Replace a legacy CI + registry-replication intake with houba destinations: same jobs, better provenance, and OCI referrers that survive to every team copy.

📄️Run the reference deployment

Run houba as a Kubernetes CronJob — the kind demo and the production blueprint: git-synced policies, rootless buildkitd, a blast-radius consumer, and optional KEDA autoscaling.