**Is your feature request related to a problem?
Organizations deploying Cyclops in FedRAMP environments are required by NIST SP 800-53 SC-13 to use FIPS 140-3 validated cryptography for all components that make TLS connections — including the Kubernetes API server. The
upstream ghcr.io/atlassian-labs/cyclops image uses Go's default crypto stack, which is not FIPS 140-3 validated, making it unusable in these environments without maintaining a custom internal build.
Describe the solution you'd like
Publish a ghcr.io/atlassian-labs/cyclops:vX.Y.Z-fips image tag alongside each release. Go 1.24+ supports FIPS 140-3 natively with no external dependencies — it requires only a single build-time flag:
RUN CGO_ENABLED=0 GOFIPS140=latest go build -ldflags="-s -w" -o /manager cmd/manager/main.go
ENV GODEBUG=fips140=on
We'd be happy to contribute a Dockerfile.fips and the corresponding CI workflow to build and push the -fips tag on each release.
Describe alternatives you've considered
Building a custom internal image that rebuilds from source with GOFIPS140=latest on each release. This means carrying the maintenance burden, lagging on upstream releases, and being unable to use the published image directly.
Additional context
Go FIPS 140-3 docs: https://go.dev/doc/security/fips140 (available since Go 1.24). The build flag compiles Go's FIPS-validated crypto module directly into the binary — no special OS or base image subscription is required.
**Is your feature request related to a problem?
Organizations deploying Cyclops in FedRAMP environments are required by NIST SP 800-53 SC-13 to use FIPS 140-3 validated cryptography for all components that make TLS connections — including the Kubernetes API server. The
upstream ghcr.io/atlassian-labs/cyclops image uses Go's default crypto stack, which is not FIPS 140-3 validated, making it unusable in these environments without maintaining a custom internal build.
Describe the solution you'd like
Publish a ghcr.io/atlassian-labs/cyclops:vX.Y.Z-fips image tag alongside each release. Go 1.24+ supports FIPS 140-3 natively with no external dependencies — it requires only a single build-time flag:
RUN CGO_ENABLED=0 GOFIPS140=latest go build -ldflags="-s -w" -o /manager cmd/manager/main.go
ENV GODEBUG=fips140=on
We'd be happy to contribute a Dockerfile.fips and the corresponding CI workflow to build and push the -fips tag on each release.
Describe alternatives you've considered
Building a custom internal image that rebuilds from source with GOFIPS140=latest on each release. This means carrying the maintenance burden, lagging on upstream releases, and being unable to use the published image directly.
Additional context
Go FIPS 140-3 docs: https://go.dev/doc/security/fips140 (available since Go 1.24). The build flag compiles Go's FIPS-validated crypto module directly into the binary — no special OS or base image subscription is required.