-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OCI image annotations, SLSA provenance, and SBOM attestations #55
base: main
Are you sure you want to change the base?
Conversation
@micahsnyder can you please take a look whenever you get the chance? |
Hi Craig! Thanks for this. It looks useful. Either I or someone on my team will review it and get back to you. |
@candrews one quick note -- we forgot to merge #54. We built the 1.4.0 release images based on the approved PR branch, but hadn't merged because of new commit signing requirements. Just fixed that and merged it now. So for your PR we will at least need to rebase with |
These annotations are useful for people to manual use as well as for use by tools. For example, Snyk uses them in its UI and Renovate uses them to find release notes. See: * https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys * https://snyk.io/blog/how-and-when-to-use-docker-labels-oci-container-annotations/ * https://github.com/renovatebot/renovate/blob/34.115.1/lib/modules/datasource/docker/readme.md
The provenance attestations include facts about the build process, including details such as: * Build timestamps * Build parameters and environment * Version control metadata * Source code details * Materials (files, scripts) consumed during the build See: * https://docs.docker.com/build/attestations/slsa-provenance/ * https://docs.docker.com/build/attestations/slsa-definitions/
2a4ffe8
to
0fc4446
Compare
No worries! I've rebased this MR including adding the changes to 1.4. |
@@ -71,7 +71,7 @@ node('docker') { | |||
|
|||
// Build X.Y.Z-R image | |||
sh """ | |||
docker build --no-cache --tag "${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}" . | |||
docker build --sbom=true --provenance mode=max,builder-id="${BUILD_URL}" --annotation "org.opencontainers.image.url=${params.REPOSITORY}" --annotation "org.opencontainers.image.source=${params.REPOSITORY}" --annotation "org.opencontainers.image.version=${params.FULL_VERSION}" --annotation "org.opencontainers.image.ref.name=${params.BRANCH}" --annotation "org.opencontainers.image.created=$(date -Iseconds)" --no-cache --tag "${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}" . |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
docker build --sbom=true --provenance mode=max,builder-id="${BUILD_URL}" --annotation "org.opencontainers.image.url=${params.REPOSITORY}" --annotation "org.opencontainers.image.source=${params.REPOSITORY}" --annotation "org.opencontainers.image.version=${params.FULL_VERSION}" --annotation "org.opencontainers.image.ref.name=${params.BRANCH}" --annotation "org.opencontainers.image.created=$(date -Iseconds)" --no-cache --tag "${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}" . | |
docker build --sbom=true --provenance mode=max,builder-id='${BUILD_URL}' --annotation 'org.opencontainers.image.url=${params.REPOSITORY}' --annotation 'org.opencontainers.image.source=${params.REPOSITORY}' --annotation 'org.opencontainers.image.version=${params.FULL_VERSION}' --annotation 'org.opencontainers.image.ref.name=${params.BRANCH}' --annotation 'org.opencontainers.image.created=$(date -Iseconds)' --no-cache --tag '${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}' . |
Similar changes need to be done in other places.
Failure - Failed to interpolate annotation strings.
I have tested the suggested strings and it works fine. I will further check the image for expected changes and will verify them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure this change is correct.
Currently, --tag "${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}"
is present (with double quotes) and working:
docker build --no-cache --tag "${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}" . |
Yet you're saying that that line needs the double quotes changed to singles. If doubles are working now, why change to singles?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @candrews
Thanks for asking the question.
"org.opencontainers.image.created=$(date -Iseconds)"
This is failing to be interpolated by Jenkins Groovy. This should be in single quotes so that only shell can interpolate it and not the Jenkins.
Ideally, there should be a clear demarcation of what is being interpolated by groovy and shell. I will make the changes to it once your changes are merged.
Also,
--annotation org.opencontainers.image.created="$(date -Iseconds)" - We can do this as well to escape the "$" too to be interpolated by Groovy.
To be consistent, I prefer to use single quotes.
Let me know if it makes sense.
Thanks
We also need to update the changes for ClamAV images with the Database. Current changes only target the base image and not the latest database image. Changes are required here for each version both alpine and debain images. Update DB script |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Fix string interpolation.
- Update changes for the latest DB images.
Add OCI image annotations to images
Attach SLSA provenance attestations to images
Attach SBOM attestations to images