Overview
The Federal Information Processing Standards (FIPS) are U.S. government standards defined by the National Institute of Standards and Technology (NIST). FIPS 140-3 specifies requirements for cryptographic modules used to protect sensitive information.
FIPS compliance is required in many regulated sectors, including government and critical infrastructure.
Tyk FIPS Compliance
Tyk provides FIPS builds of its products that use only FIPS 140-3 approved cryptographic algorithms. These builds incorporate two layers of FIPS-validated cryptography:
- Application layer: the Go Cryptographic Module v1.0.0 (CAVP Certificate A6650), a native Go FIPS 140-3 cryptographic module available in Go 1.24 and later.
- Container layer: Docker images built on Docker Hardened Images containing the OpenSSL FIPS Provider (CMVP Certificate #4985), which has completed FIPS 140-3 validation.
FIPS-compliant means that the FIPS Tyk Products use only FIPS 140-3 approved cryptographic algorithms when running in FIPS mode, using the Go Cryptographic Module (CAVP Certificate A6650) and the OpenSSL FIPS Provider (CMVP Certificate #4985). However, the FIPS Tyk Products have not been independently tested or submitted to a NIST testing lab by Tyk. Therefore, this should not be interpreted as FIPS certification of the Tyk products themselves.
Available Products
| Product | FIPS Package | FIPS Docker Image |
|---|
| Tyk Gateway (Enterprise) | tyk-gateway-fips | tykio/tyk-gateway-fips |
| Tyk Dashboard | tyk-dashboard-fips | tykio/tyk-dashboard-fips |
| Tyk Pump | tyk-pump-fips | tykio/tyk-pump-fips |
| Tyk MDCB | tyk-sink-fips | tykio/tyk-mdcb-docker-fips |
- Packages (DEB, RPM):
amd64, arm64, s390x
- Docker images:
amd64, arm64
Licensing
FIPS builds require a paid enterprise license agreement. Contact your Tyk account manager for access.
How FIPS Mode Works
FIPS builds are compiled with GOFIPS140=v1.0.0, which embeds the Go Cryptographic Module directly into the binary. FIPS mode is enabled by default at runtime. The only configuration required is setting the key hashing algorithm for Tyk Gateway (see Configuration).
When running in FIPS mode, all cryptographic operations (TLS, hashing, signing, encryption) use only FIPS-approved algorithms. Non-approved algorithms are rejected at runtime.
Cryptographic Module
The Go Cryptographic Module is a pure Go implementation in the Go standard library (Go 1.24 and later). Unlike approaches that rely on external C libraries for FIPS cryptography, the Go Cryptographic Module:
- Has no external C library dependencies, eliminating an entire class of linking and compatibility risks
- Is embedded directly into the binary at compile time, ensuring the validated module cannot be substituted at runtime
- Enables FIPS mode by default in FIPS builds, removing the risk of misconfiguration
- Undergoes FIPS 140-3 validation (the current standard), not the superseded FIPS 140-2
For more information, see:
Docker Images
Hardened Base Image
FIPS and Enterprise Edition Docker images are built on Docker Hardened Images (DHI). These commercially supported base images provide security and compliance capabilities beyond what standard community base images offer:
- FIPS compliance attestation: a signed, machine-readable attestation listing the FIPS-validated cryptographic modules (including OpenSSL FIPS Provider, CMVP #4985) present in the image, with their validation status and certificate numbers.
- Signed SBOM: a complete Software Bill of Materials in CycloneDX and SPDX formats, cryptographically signed for tamper evidence, enabling customers to audit every component in the container.
- SLSA Build Level 3 provenance: tamper-resistant build records that cryptographically link the image to its source definition, verifying the image was built by Docker’s official infrastructure without manual intervention.
- VEX statements: Vulnerability Exploitability Exchange documents that provide assessed context about known CVEs, enabling scanners to automatically suppress vulnerabilities that have been determined to be non-exploitable in the container environment.
- STIG compliance scans: Security Technical Implementation Guide results for regulatory audit requirements.
- CVE remediation SLA: Docker provides SLA-backed security updates for the base image, including a 7-day remediation commitment for critical and high severity vulnerabilities (with DHI Enterprise subscription).
The base image and all its attestations are publicly accessible for independent verification:
docker scout attestation list tykio/dhi-busybox:1.37-fips
Base Image Maintenance and Updates
The Docker Hardened Images base is maintained by Docker, Inc. Security patches, vulnerability remediation, and FIPS attestation updates for the base image are managed by Docker in accordance with its Hardened Images lifecycle and support policies.
Tyk incorporates base image updates into new releases on a regular cadence. The timing of security fixes in the base image is dependent on Docker’s release schedule. Tyk does not independently patch or modify the Docker Hardened Images base, as doing so would invalidate its FIPS attestation, SBOM, and provenance chain.
For vulnerabilities identified in the base image, refer to the Vulnerability Management section below for guidance on how VEX attestations communicate the exploitability status of known CVEs.
Image Variants
| Image | Base | Architectures |
|---|
tykio/tyk-gateway (OSS) | Distroless | amd64, arm64, s390x |
tykio/tyk-gateway-ee (Enterprise) | Docker Hardened Image | amd64, arm64 |
tykio/tyk-gateway-fips (FIPS) | Docker Hardened Image | amd64, arm64 |
Configuration
Tyk Gateway
The only FIPS-specific configuration required is setting the key hashing algorithm to SHA-256:
{
"hash_key_function": "sha256"
}
TYK_GW_HASHKEYFUNCTION=sha256
Other Products
Tyk Dashboard, Tyk Pump, and Tyk MDCB do not require additional FIPS-specific configuration. FIPS mode is active by default in FIPS builds.
Vulnerability Scanning
Docker Hardened Images are published with zero known vulnerabilities and include VEX (Vulnerability Exploitability Exchange) attestations that document the exploitability status of reported CVEs.
Some vulnerability scanners may report CVEs in OS-level packages (such as busybox or ncurses) that are present in the base image. These CVEs are typically classified by the upstream OS vendor (Debian) as no-dsa, meaning the Debian security team has determined that no security advisory is warranted due to the vulnerability’s low practical impact.
Docker Scout
Docker Scout automatically applies VEX and Debian security classifications. No additional configuration is required.
docker scout cves tykio/tyk-gateway-fips:<tag>
Trivy
Trivy reports CVEs based on the presence of packages, regardless of whether the OS vendor considers them actionable. To filter out CVEs where no fix is available from the OS vendor (matching Debian’s no-dsa classification and Docker Scout’s assessment), use --ignore-unfixed:
trivy image --ignore-unfixed --severity HIGH,CRITICAL tykio/tyk-gateway-fips:<tag>
~/.trivy/vex/repository.yaml:
repositories:
- name: default
url: https://github.com/aquasecurity/vexhub
enabled: true
- name: docker-hardened-images
url: https://github.com/docker-hardened-images/advisories
enabled: true
trivy vex repo download
trivy image --ignore-unfixed --vex repo --severity HIGH,CRITICAL tykio/tyk-gateway-fips:<tag>
Grype
Export VEX from the base image and scan with VEX filtering:
docker scout vex get --org tykio -o vex.json tykio/dhi-busybox:1.37-fips
grype tykio/tyk-gateway-fips:<tag> --vex vex.json
Understanding Scanner Discrepancies
Different scanners may report different CVE counts for the same image. This is expected behavior and is not a security concern:
- Docker Scout applies VEX, Debian security classifications (
no-dsa), and its own reachability analysis automatically. It provides the most complete view of actual exploitability for Docker Hardened Images.
- Trivy and Grype report CVEs based on package presence. Use
--ignore-unfixed and/or VEX configuration to filter CVEs that the OS vendor has determined do not warrant a fix.
- All scanners agree on CVEs that have available fixes — these represent actionable findings that should be addressed.
The authoritative vulnerability count for the Docker Hardened Images base is visible on Docker Hub.
Compliance Scope and Limitations
Please review the following carefully. It defines the scope and limitations of Tyk’s FIPS compliance.
What Is Covered
- Cryptographic operations performed by Tyk binaries distributed with the
-fips suffix, including TLS termination, hash computation, digital signatures, and symmetric encryption.
- The cryptographic libraries in the Docker Hardened Images base (OpenSSL FIPS Provider, CMVP #4985).
What Is Not Covered
- The customer’s deployment environment, operating system, network configuration, or infrastructure.
- Key management procedures and operational security practices.
- Custom plugins loaded into Tyk.
- External services that Tyk communicates with, including Redis, PostgreSQL, upstream APIs, and identity providers.
- Data at rest, unless explicitly handled by Tyk’s cryptographic operations.
- Any component or service outside the Tyk binaries and their container base image.
Customer Responsibilities
Customers are responsible for ensuring FIPS compliance of their overall deployment environment and operational procedures. FIPS compliance of the Tyk products alone does not make a deployment FIPS-compliant. Customers must independently assess and validate their full deployment against applicable FIPS requirements.
Validation Status
- The Go Cryptographic Module v1.0.0, CAVP Certificate A6650, available in Go 1.24 and later. See the Go FIPS 140-3 documentation for details.
- The OpenSSL FIPS Provider, CMVP Certificate #4985, included in the Docker Hardened Images base.
Third-Party Dependencies
Tyk’s FIPS compliance depends on third-party components maintained by their respective vendors:
- Go Cryptographic Module: maintained by the Go project. FIPS validation status and updates are subject to the Go release lifecycle.
- Docker Hardened Images: maintained by Docker, Inc. Base image security patches, FIPS attestations, CVE remediation SLAs, and VEX updates are subject to Docker’s release and support policies.
Tyk does not control the release schedule, validation status, or support lifecycle of these third-party components. Any changes to the validation status of these components may affect Tyk’s FIPS compliance posture. Tyk will communicate material changes to customers as they occur.
Verification
Verifying Docker Images
Confirm that a FIPS image uses the hardened base by inspecting its attestations:
docker scout attestation list tykio/tyk-gateway-fips:<tag>
Verifying Binaries
FIPS builds with GOFIPS140 are available in Tyk Gateway 5.13.0 and Tyk Dashboard 5.13.0 and later.
# Extract from Docker image (requires crane: brew install crane)
mkdir -p /tmp/tyk-check
crane export --platform linux/amd64 tykio/tyk-gateway-fips:<tag> - | \
tar xf - -C /tmp/tyk-check opt/tyk-gateway/tyk
# Inspect build info
go version -m /tmp/tyk-check/opt/tyk-gateway/tyk
build GOFIPS140=v1.0.0-<commit>
build DefaultGODEBUG=fips140=on,...
build -tags=goplugin,ee,fips,fips140v1.0
GOFIPS140 in its build info.
Verifying from Packages
# DEB
dpkg-deb -x tyk-gateway-fips_*.deb /tmp/tyk-deb
go version -m /tmp/tyk-deb/opt/tyk-gateway/tyk
# RPM
rpm2cpio tyk-gateway-fips-*.rpm | (cd /tmp/tyk-rpm && cpio -idmv)
go version -m /tmp/tyk-rpm/opt/tyk-gateway/tyk
Enforcing Strict FIPS Mode
Go 1.25 and later supports a strict FIPS mode that causes the process to terminate if a non-approved algorithm is used:
docker run -e GODEBUG=fips140=only tykio/tyk-gateway-fips:<tag>
