ã³ãŒã眲å
ã³ãŒã眲åãšã¯ïŒ
ã³ãŒã眲åãšã¯ãDocker ã€ã¡ãŒãžã®ãããªãœãããŠã§ã¢ææç©ã«æå·åŠç眲åãé©çšãããã®å®å šæ§ãšçæ£æ§ãæ€èšŒããããã»ã¹ã§ãã
ã€ã¡ãŒãžã«çœ²åããããšã§ã眲ååŸã«æ¹ãããããŠããªãããšããããŠä¿¡é Œã§ãããœãŒã¹ããçºè¡ããããã®ã§ããããšãä¿èšŒã§ããŸãã
Docker Hardened ImagesïŒDHIïŒã®ã³ã³ããã¹ãã§ã¯ãã³ãŒã眲å㯠Cosign ã䜿ã£ãŠå®çŸãããŸãã
Cosign 㯠Sigstore ãããžã§ã¯ãã«ãã£ãŠéçºãããããŒã«ã§ãã³ã³ããã€ã¡ãŒãžã«å¯ŸããŠå®å šãã€æ€èšŒå¯èœãªçœ²åãå¯èœã«ãããœãããŠã§ã¢ãµãã©ã€ãã§ãŒã³ã«ãããä¿¡é Œæ§ãšã»ãã¥ãªãã£ã匷åããŸãã
ã³ãŒã眲åãéèŠãªçç±
ã³ãŒã眲åã¯ãçŸä»£ã®ãœãããŠã§ã¢éçºããµã€ããŒã»ãã¥ãªãã£ã«ãããŠæ¥µããŠéèŠãªåœ¹å²ãæãããŸã:
-
çæ£æ§ïŒAuthenticityïŒ: ã€ã¡ãŒãžãä¿¡é Œã§ãããœãŒã¹ã«ãã£ãŠäœæãããããšãæ€èšŒããŸãã
-
å®å šæ§ïŒIntegrityïŒ: 眲ååŸã«ã€ã¡ãŒãžãæ¹ãããããŠããªãããšãä¿èšŒããŸãã
-
ã³ã³ãã©ã€ã¢ã³ã¹ïŒComplianceïŒ: èŠå¶ãçµç¹ã®ã»ãã¥ãªãã£èŠä»¶ãæºããæ¯æŽãšãªããŸãã
Docker Hardened Image ã®ã³ãŒã眲å
ãã¹ãŠã® DHI 㯠Cosign ãçšããŠæå·çã«çœ²åãããŠãããã€ã¡ãŒãžãæ¹ãããããŠããªãããšããããŠä¿¡é Œã§ãããœãŒã¹ã«ç±æ¥ããããšãä¿èšŒããŸãã
ãªãèªåã®ã€ã¡ãŒãžã«ã眲åãã¹ããªã®ãïŒ
Docker Hardened Images ã¯ãDocker ã«ãã£ãŠçœ²åãããèµ·æºãšå®å šæ§ãä¿èšŒãããŠããŸãã
ããããDHI ãããŒã¹ã«æ¡åŒµããã¢ããªã±ãŒã·ã§ã³ã€ã¡ãŒãžãç¬èªã«æ§ç¯ããã€ã¡ãŒãžãå©çšããå Žåã¯ãèªåèªèº«ã®ã€ã¡ãŒãžã«ã眲åããããšãæšå¥šãããŸãã
èªåã®ã€ã¡ãŒãžã«çœ²åããããšã§ã以äžãå®çŸã§ããŸã:
-
ãã®ã€ã¡ãŒãžãèªåã®ããŒã ããã€ãã©ã€ã³ã§ãã«ããããããšã蚌æã§ãã
-
push åŸã«ãã«ããæ¹ãããããŠããªãããšãä¿èšŒã§ãã
-
SLSA ã®ãããªãœãããŠã§ã¢ãµãã©ã€ãã§ãŒã³ãã¬ãŒã ã¯ãŒã¯ãžã®æºæ ãæ¯æŽã§ãã
-
ãããã€ã¡ã³ãã¯ãŒã¯ãããŒã«ãããã€ã¡ãŒãžæ€èšŒãæå¹åã§ãã
ããã¯ç¹ã«ãCI/CD ç°å¢ã§é »ç¹ã«ã€ã¡ãŒãžããã«ãã»push ããå Žåããã€ã¡ãŒãžã®ããããã³ã¹ïŒç±æ¥ïŒãç£æ»å¯èœã«ããå¿ èŠãããå Žé¢ã§éèŠã§ãã
ã³ãŒã眲åã®ç¢ºèªãšå©ç𿹿³
眲åã®ç¢ºèª
Docker Hardened Image ã眲åããä¿¡é Œã§ããããšã確èªããã«ã¯ãDocker Scout ãŸã㯠Cosign ã䜿çšã§ããŸãã
ã€ã¡ãŒãžã«æ·»ä»ãããŠãã眲åã¡ã¿ããŒã¿ãå«ããã¹ãŠã®ã¢ãã¹ããŒã·ã§ã³ãäžèŠ§è¡šç€ºããã«ã¯ã次ã®ã³ãã³ããå®è¡ããŸã:
$ docker scout attest list <image-name>:<tag> --platform <platform>
ç¹å®ã®çœ²åä»ãã¢ãã¹ããŒã·ã§ã³ïŒäŸïŒSBOMãVEXãããããã³ã¹ïŒãæ€èšŒããã«ã¯:
$ docker scout attest get \
--predicate-type <predicate-uri> \
--verify \
<image-name>:<tag> --platform <platform>
äŸ:
$ docker scout attest get \
--predicate-type https://openvex.dev/ns/v0.2.0 \
--verify \
docs/dhi-python:3.13 --platform linux/amd64
眲åãæå¹ã§ããã°ãDocker Scout ã¯çœ²åã確èªãã眲åãã€ããŒããšãšãã«ããã®ã€ã¡ãŒãžãæ€èšŒããããã®å¯Ÿå¿ãã Cosign ã³ãã³ãã衚瀺ããŸãã
ã€ã¡ãŒãžã®çœ²å
ã€ã¡ãŒãžã«çœ²åããã«ã¯ãCosign ã䜿çšããŸãã<image-name>:<tag>
ã察象ã®ã€ã¡ãŒãžåãšã¿ã°ã«çœ®ãæããŠãã ããã
$ cosign sign <image-name>:<tag>
ãã®ã³ãã³ããå®è¡ãããšãOIDC ãããã€ãïŒGitHubãGoogleãMicrosoft ãªã©ïŒã«ããèªèšŒãæ±ããããŸãã
èªèšŒãæåãããšãCosign ã¯çæéæå¹ãªèšŒææžãçæããã€ã¡ãŒãžã«çœ²åããŸãã
眲åã¯ééçãã°ã«ä¿åãããã¬ãžã¹ããªå ã®ã€ã¡ãŒãžãšé¢é£ä»ããããŸãã