Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add pre-submit to verify base images #592

Merged
merged 8 commits into from Sep 7, 2022
Merged

Add pre-submit to verify base images #592

merged 8 commits into from Sep 7, 2022

Conversation

ianlewis
Copy link
Member

@ianlewis ianlewis commented Jul 20, 2022
edited

Adds a pre-submit to verify base images in all Dockerfiles in the repository.

  • All base images must be referenced by digest.
  • All images must be signed.
    • If the image name starts with "gcr.io/distroless/" then the image signature is verified using cosign with the distroless public key.
    • Otherwise the image is verified using Docker Content Trust and the image digest is verified.

NOTE: the "verify base images" workflow job needs to be added as a required status check to the protected branch rule after merging.

@ianlewis ianlewis mentioned this pull request Jul 20, 2022
Merged
1 task
@ianlewis ianlewis changed the title Add comments to verify new base image digests Add pre-submit to verify base image digests Sep 6, 2022
@ianlewis ianlewis changed the title Add pre-submit to verify base image digests Add pre-submit to verify base images Sep 6, 2022
@ianlewis
Copy link
Member Author

ianlewis commented Sep 6, 2022

@joshuagl @laurentsimon I updated this to add a pre-submit script rather than instructions written in a comment. Please read the updated PR description.

@ianlewis
Use specific golang version for tag
cf9937b 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
retab
8378a8c 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
Add description comment
981267c 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis ianlewis mentioned this pull request Sep 6, 2022
Closed
1 task
joshuagl
joshuagl approved these changes Sep 6, 2022
View reviewed changes
Copy link
Member

@joshuagl joshuagl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is fantastic, really nice work!

@ianlewis ianlewis self-assigned this Sep 7, 2022
@ianlewis ianlewis enabled auto-merge (squash) September 7, 2022 01:25
@ianlewis ianlewis merged commit e77551c into slsa-framework:main Sep 7, 2022
@ianlewis
Copy link
Member Author

ianlewis commented Sep 7, 2022

Added "verify base images" as a requirement on the protected branch rule.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@loosebazooka loosebazooka loosebazooka left review comments

@lumjjb lumjjb lumjjb left review comments

@joshuagl joshuagl joshuagl approved these changes

@laurentsimon laurentsimon laurentsimon approved these changes

@asraa asraa Awaiting requested review from asraa

Assignees

@ianlewis ianlewis

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@ianlewis @loosebazooka @lumjjb @joshuagl @laurentsimon