Scenario 05 · Government & defense
A government program needs an authorization to operate. Procurement wants FIPS 140-3 validated cryptography, a memory-safe data plane (the CISA/NSA "memory-safe roadmaps" ask had a Jan 1, 2026 deadline), and a verifiable supply chain — signed images, provenance, an SBOM. A C/C++ proxy can bolt on some of these, but it can never tick the memory-safety box by construction.
The compliance checklist
The differentiator is the top row: a memory-unsafe proxy cannot eliminate buffer overflows and use-after-free by construction — the exact class CISA/NSA flagged. Everything below is parity ZenoIngress reaches in one binary.
The setup
The FIPS posture is a build variant: enable the fips feature so rustls installs
aws-lc-rs's validated module (CMVP #4816), and assert it at startup so a non-FIPS build
fails closed:
# 1) Cargo.toml — opt in to the validated module
[features]
fips = ["rustls/fips"]
# 2) main.rs — install the FIPS provider, assert at startup
#[cfg(feature = "fips")]
rustls::crypto::default_fips_provider().install_default()?;
assert!(server_config.fips()); # non-FIPS build won't start
# 3) build the FIPS variant (toolchain: cmake, go, perl)
$ cargo build --release -p zenoingress-proxy --features fips
Note: ML-KEM inside a validated module tracks AWS-LC FIPS 3.0 (CMVP in-process as of 2026-05), so a strict-FIPS listener may not also be post-quantum yet — pick the posture the control requires.
Every release image is signed (keyless cosign) and ships SLSA provenance + a CycloneDX SBOM. A procurement reviewer verifies all three before the image is admitted:
# Signature — keyless OIDC, tied to the release pipeline identity
# (contact [email protected] for registry access + signing identity)
$ cosign verify <your-registry>/zenoingress:v1.0.0 \
--certificate-identity-regexp '<release-signing-identity>' \
--certificate-oidc-issuer '<oidc-issuer>'
# SLSA build provenance attestation
$ cosign verify-attestation --type slsaprovenance \
<your-registry>/zenoingress:v1.0.0
# CycloneDX SBOM, attached to the image
$ cosign download sbom <your-registry>/zenoingress:v1.0.0 > sbom.cdx.json
verified OK — signature · provenance · SBOM
What happens
fips build links aws-lc-rs's validated module (CMVP #4816);
rustls runs only FIPS-approved algorithms.
server_config.fips() — if the validated provider isn't active, the
proxy refuses to start rather than silently downgrade. fail-closed
#![forbid(unsafe_code)], CI-guarded — buffer overflows and use-after-free are
impossible by construction. CISA/NSA aligned
cargo audit (RUSTSEC) and cargo deny
(advisories, licenses, sources); all third-party Actions are pinned to a commit SHA.
Outcome
FIPS-validated crypto, a 100% memory-safe data plane, and a signed-and-attested supply chain ship in one binary — so the program clears the procurement bar a memory-unsafe proxy structurally cannot.
Run this yourself
The FIPS build announces the validated provider at startup, and the signature/provenance verify offline against the public Sigstore transparency log:
$ kubectl logs -n zenoingress-system deploy/zenoingress-proxy | grep -i fips
INFO crypto provider installed provider=aws-lc-rs-fips cmvp="#4816" fips=true
$ cosign verify <your-registry>/zenoingress:v1.0.0 \
--certificate-oidc-issuer '<oidc-issuer>' \
--certificate-identity-regexp '<release-signing-identity>' >/dev/null
Verified OK (transparency log entry confirmed)
FIPS, memory safety, and an attested supply chain in one binary.
Contact Sales