ãœãããŠã§ã¢ãµãã©ã€ãã§ãŒã³ã»ãã¥ãªãã£
ãœãããŠã§ã¢ãµãã©ã€ãã§ãŒã³ã»ãã¥ãªãã£ïŒSSCSïŒãšã¯ïŒ
SSCS ã¯ããœãããŠã§ã¢éçºã®ã©ã€ããµã€ã¯ã«å šäœãä¿è·ããããã®å®è·µãæŠç¥ãæããŸãã
ããã¯ãåæã®ã³ãŒãäœæããããããã€ã¡ã³ããä¿å®ã«è³ããŸã§ã察象ãšãããã¹ãŠã®èŠçŽ ãã»ãã¥ã¢ã«ããããšã«éç¹ã眮ããŠããŸãã
察象ãšãªãã®ã¯ãã³ãŒããäŸåé¢ä¿ããã«ãããã»ã¹ãé åžãã£ãã«ãªã©ã§ãããæªæããæ»æè ããœãããŠã§ã¢ãµãã©ã€ãã§ãŒã³ã䟵害ããããšãé²ãããšãç®çãšããŠããŸãã
ç¹ã«ããªãŒãã³ãœãŒã¹ã©ã€ãã©ãªããµãŒãããŒãã£ã³ã³ããŒãã³ããžã®äŸåãå¢ããŠããçŸç¶ã«ãããŠããããã®æŽåæ§ãšã»ãã¥ãªãã£ã確ä¿ããããšã¯æ¥µããŠéèŠã§ãã
ãªã SSCS ãéèŠãªã®ãïŒ
SSCS ã®éèŠæ§ã¯ããœãããŠã§ã¢ãµãã©ã€ãã§ãŒã³ãçã£ãé«åºŠãªãµã€ããŒæ»æã®å¢å ã«äŒŽãããããŸã§ä»¥äžã«é«ãŸã£ãŠããŸãã
è¿å¹Žã®äºäŸãããªãŒãã³ãœãŒã¹ã³ã³ããŒãã³ãã«ãããè匱æ§ã®æªçšã¯ã匷åºãªãµãã©ã€ãã§ãŒã³ã»ãã¥ãªãã£å¯Ÿçãäžå¯æ¬ ã§ããããšãæµ®ã圫ãã«ããŸããã
ãœãããŠã§ã¢ã©ã€ããµã€ã¯ã«ã®ã©ã®æ®µéã«ãããŠã䟵害ãçºçããã°ãåºç¯å²ãªè匱æ§ãããŒã¿æŒãããé倧ãªçµæžçæå€±ã«ã€ãªããå¯èœæ§ããããŸãã
Docker Hardened Images ã SSCS ã«è²¢ç®ããæ¹æ³
Docker Hardened ImagesïŒDHIïŒã¯ãã»ãã¥ãªãã£ãäžæ žã«æ®ããŠèšèšãããç¹ååã³ã³ããã€ã¡ãŒãžã§ãããçŸä»£ã®ãœãããŠã§ã¢ãµãã©ã€ãã§ãŒã³ã»ãã¥ãªãã£ã®èª²é¡ã«å¯Ÿå¿ããŸãã
éçºããããã€ã¡ã³ãã®ãã€ãã©ã€ã³ã« DHI ãçµ±åããããšã§ãçµç¹ã® SSCSïŒãœãããŠã§ã¢ãµãã©ã€ãã§ãŒã³ã»ãã¥ãªãã£ïŒäœå¶ã次ã®ããã«åŒ·åã§ããŸã:
-
æ»æå¯Ÿè±¡é åã®æå°å: DHI ã¯æ¥µéãŸã§ãããã«ã«èšèšãããŠãããäžå¿ èŠãªã³ã³ããŒãã³ããæé€ããããšã§æ»æå¯Ÿè±¡é åãæå€§ 95% åæžããŸãããã® distroless ã¢ãããŒãã«ãããæ»æè ãäŸµå ¥ã§ããäœå°ãå€§å¹ ã«æžãããŸãã
-
æå·çœ²åãšããããã³ã¹: å DHI ã¯æå·çã«çœ²åãããŠãããçæ£æ§ãšå®å šæ§ãä¿èšŒããŸãããŸãããã«ãããããã³ã¹ãä¿æãããã€ã¡ãŒãžã®èµ·æºããã«ãããã»ã¹ãæ€èšŒå¯èœãªèšŒæ ãšããŠæç€ºã§ããSLSAïŒSupply-chain Levels for Software ArtifactsïŒãªã©ã®æšæºã«æºæ ããŸãã
-
ãœãããŠã§ã¢éšå衚ïŒSBOMïŒ: DHI ã«ã¯å æ¬ç㪠SBOM ãå«ãŸããŠãããã€ã¡ãŒãžå ã®ãã¹ãŠã®ã³ã³ããŒãã³ããäŸåé¢ä¿ãæç¢ºã«ç€ºããŸãããã®éææ§ã«ãããè匱æ§ç®¡çãã³ã³ãã©ã€ã¢ã³ã¹è¿œè·¡ãæ¯æŽããããŒã ããªã¹ã¯ãç確ã«è©äŸ¡ã»è»œæžã§ããããã«ãªããŸãã
-
ç¶ç¶çãªä¿å®ãšè¿ é㪠CVE ä¿®æ£: DHI 㯠Docker ã«ãã£ãŠå®æçã«æŽæ°ã»ã»ãã¥ãªãã£ããããé©çšãããé倧ïŒCriticalïŒããã³é«ïŒHighïŒæ·±å»åºŠã®è匱æ§ã«å¯Ÿã㊠SLA ããã¯ã§è¿ éã«å¯Ÿå¿ããŸãããã®ããã¢ã¯ãã£ããªã¢ãããŒãã«ãããã€ã¡ãŒãžãåžžã«ã»ãã¥ã¢ã§ããšã³ã¿ãŒãã©ã€ãºåºæºã«æºæ ããç¶æ ãç¶æã§ããŸãã