ã»ãã¥ã¢ãœãããŠã§ã¢éçºã©ã€ããµã€ã¯ã«
ã»ãã¥ã¢ãœãããŠã§ã¢éçºã©ã€ããµã€ã¯ã«ãšã¯ïŒ
ã»ãã¥ã¢ãœãããŠã§ã¢éçºã©ã€ããµã€ã¯ã«ïŒSSDLCïŒ ãšã¯ãèšèšã»éçºãããããã€ã»ç£èŠã«è³ããŸã§ããœãããŠã§ã¢ããªããªãŒã®ãã¹ãŠã®æ®µéã«ã»ãã¥ãªãã£ã®å®è·µãçµã¿èŸŒãããšãæããŸãã
ããã¯åã«å®å šãªã³ãŒããæžãããšã«ãšã©ãŸããããœãããŠã§ã¢ãæ§ç¯ã»æäŸããããã«å©çšãããããŒã«ãç°å¢ãã¯ãŒã¯ãããŒå šäœã«ã»ãã¥ãªãã£ãçµã¿èŸŒãããšãæå³ããŸãã
SSDLC ã®å®è·µã¯ãå€ãã®å Žåãã³ã³ãã©ã€ã¢ã³ã¹ãã¬ãŒã ã¯ãŒã¯ãçµç¹ã®ããªã·ãŒãSLSAïŒSupply-chain Levels for Software ArtifactsïŒã NIST SSDF ãšãã£ããµãã©ã€ãã§ãŒã³ã»ãã¥ãªãã£æšæºã«ãã£ãŠæéãäžããããŸãã
ãªã SSDLC ãéèŠãªã®ã
çŸä»£ã®ã¢ããªã±ãŒã·ã§ã³ã¯ãè¿ éãã€å埩çãªéçºã«äŸåããŠããŸãããã»ãã¥ãªãã£å¯Ÿçãåææ®µéã§çµã¿èŸŒãŸããŠããªãå Žåãè¿ éãªããªããªãŒã¯ã»ãã¥ãªãã£ãªã¹ã¯ã䌎ãããšã«ãªããŸãã
SSDLC ãå°å ¥ããããšã§ã次ã®ãããªå¹æãåŸãããŸã:
-
è匱æ§ãæ¬çªç°å¢ã«æã¡èŸŒãåã«é²æ¢ã§ãã
-
远跡å¯èœã§ç£æ»å¯èœãªã¯ãŒã¯ãããŒãéããŠã³ã³ãã©ã€ã¢ã³ã¹ãä¿èšŒã§ãã
-
äžè²«ããã»ãã¥ãªãã£åºæºãç¶æããããšã§éçšãªã¹ã¯ãäœæžã§ãã
-
CI/CD ãã€ãã©ã€ã³ãã¯ã©ãŠããã€ãã£ãç°å¢ã«ãããå®å šãªèªååãå®çŸã§ãã
ãœãããŠã§ã¢ããªããªãŒã®å段éã§ã»ãã¥ãªãã£ãã第äžçŽåžæ°ããšããŠæ±ãããšã§ãçµç¹ã¯ã·ããã¬ããïŒéçºã®æ©ã段éã§ã»ãã¥ãªãã£ãå°å ¥ããèãæ¹ïŒãå®çŸããã³ã¹ããšè€éãã®äž¡æ¹ãåæžã§ããŸãã
Docker ã«ããã»ãã¥ã¢ãª SDLC ã®æ¯æŽ
Docker ã¯ãã³ã³ããã©ã€ããµã€ã¯ã«å šäœã«ãã㊠SSDLC ã®å®è·µã容æã«ããããã®ããŒã«ãã»ãã¥ã¢ãªã³ã³ãã³ããæäŸããŠããŸãã
Docker Hardened ImagesïŒDHIïŒãDocker Debug ãDocker Scout ãçµã¿åãããããšã§ãããŒã ã¯éçºã¹ããŒããæãªãããšãªãã»ãã¥ãªãã£ãçµã¿èŸŒãããšãã§ããŸãã
èšèšãšèšç»ïŒPlan and designïŒ
èšç»æ®µéã§ã¯ãã¢ãŒããã¯ãã£äžã®å¶çŽãã³ã³ãã©ã€ã¢ã³ã¹ç®æšãè åšã¢ãã«ãå®çŸ©ããŸãã
Docker Hardened Images ã¯ãã®æ®µéã§ä»¥äžã®ç¹ãæ¯æŽããŸã:
-
äžè¬çãªèšèªãã©ã³ã¿ã€ã ã«å¯Ÿå¿ãã ã»ãã¥ã¢ããã©ã«ãã®ããŒã¹ã€ã¡ãŒãž
-
SBOMãããããã³ã¹ãVEX ããã¥ã¡ã³ã ãå«ãæ€èšŒæžã¿ã¡ã¿ããŒã¿
-
è€æ°ã® Linux ãã£ã¹ããªãã¥ãŒã·ã§ã³ã§ glibc ãš musl ã®äž¡æ¹ããµããŒã
DHI ã®ã¡ã¿ããŒã¿ãã¢ãã¹ããŒã·ã§ã³ã¯ãèšèšã¬ãã¥ãŒãè åšã¢ããªã³ã°ãã¢ãŒããã¯ãã£æ¿èªã®è£ä»ããšããŠæŽ»çšã§ããŸãã
éçºïŒDevelopïŒ
éçºæ®µéã§ã¯ãã»ãã¥ãªãã£ã¯ééçã§é©çšãããããã®ã§ããå¿ èŠããããŸãã
Docker Hardened Images ã¯ã»ãã¥ã¢ããã©ã«ãã®éçºç°å¢ãæäŸããŸã:
-
Dev ããªã¢ã³ãã¯ã·ã§ã«ãããã±ãŒãžãããŒãžã£ãã³ã³ãã€ã©ãå«ã¿ãå©äŸ¿æ§ã確ä¿
-
ãããã«ã©ã³ã¿ã€ã ããªã¢ã³ãã¯æçµã€ã¡ãŒãžã®æ»æå¯Ÿè±¡é åãåæž
-
ãã«ãã¹ããŒãžãã«ãã«ããããã«ãæã®ããŒã«ãšå®è¡ç°å¢ãåé¢å¯èœ
ããã« Docker Debug ã«ãããéçºè ã¯ä»¥äžãå®çŸã§ããŸã:
-
æå°æ§æã³ã³ããã«äžæçã«ãããã°ããŒã«ãæ³šå ¥
-
ãã©ãã«ã·ã¥ãŒãã£ã³ã°æã«ããŒã¹ã€ã¡ãŒãžã倿Žãã察å¿
-
æ¬çªç°å¢ã«è¿ãç°å¢ã§ãå®å šã«åé¡ã調æ»
ãã«ããšãã¹ãïŒBuild and testïŒ
ãã«ããã€ãã©ã€ã³ã¯ãåé¡ãæ©æã«çºèŠããçæ³çãªå Žæã§ãã
Docker Scout 㯠Docker Hub ã CLI ãšçµ±åããã以äžãå¯èœã«ããŸã:
-
è€æ°ã®è匱æ§ããŒã¿ããŒã¹ãçšããæ¢ç¥ã® CVE ã¹ãã£ã³
-
è匱æ§ãç¹å®ã®ã¬ã€ã€ãŒãäŸåé¢ä¿ã«ãã¬ãŒã¹
-
眲åä»ã VEX ããŒã¿ãè§£éããäžèŠãªåé¡ãæå¶
-
CI/CD ã¯ãŒã¯ãããŒåãã« JSON 圢åŒã®ã¹ãã£ã³ã¬ããŒãããšã¯ã¹ããŒã
Docker Hardened Images ã䜿çšãããã«ããã€ãã©ã€ã³ã«ã¯æ¬¡ã®å©ç¹ããããŸã:
-
åçŸæ§ã®ãã眲åä»ãã€ã¡ãŒãž
-
æå°åããããã«ã察象é åã«ããé²åºãªã¹ã¯äœæž
-
SLSA Build Level 3 æšæºã«æºæ ããã³ã³ãã©ã€ã¢ã³ã¹
ãªãªãŒã¹ãšãããã€ïŒRelease and deployïŒ
å€§èŠæš¡ã«ãœãããŠã§ã¢ããªãªãŒã¹ããéã«ã¯ãã»ãã¥ãªãã£èªååãäžå¯æ¬ ã§ããDocker ã¯ãã®ãã§ãŒãºã以äžã®ããã«æ¯æŽããŸã:
-
ãããã€åã® çœ²åæ€èšŒãšããããã³ã¹æ€èšŒ
-
Docker Scout ãçšãã ããªã·ãŒé©çšã²ãŒã
-
Docker Debug ãå©çšãã å®å šã§äŸµè¥²ã®å°ãªãã³ã³ããæ€æ»
DHI ã«ã¯ããããã€æã«ã€ã¡ãŒãžæ€èšŒãèªååããããã«å¿ èŠãªã¡ã¿ããŒã¿ãšçœ²åãå«ãŸããŠããŸãã
ç£èŠãšæ¹åïŒMonitor and improveïŒ
ãªãªãŒã¹åŸãã»ãã¥ãªãã£ã¯ç¶ããŸããDocker ã®ããŒã«ã«ããã以äžãå¯èœã§ã:
-
Docker Hub ãéããã€ã¡ãŒãžè匱æ§ã®ç¶ç¶çç£èŠ
-
Docker Scout ã«ãã CVE ä¿®æ£ã¬ã€ãã³ã¹ãšãããç¶æ³ã®å¯èŠå
-
åãã«ãã»å眲åããã DHI ã€ã¡ãŒãžãéããã»ãã¥ã¢ã¬ã€ã€ãŒã®ç¶ç¶æäŸ
-
Docker Debug ãçšãããã€ã¡ãŒãžã倿Žããã«å®è¡äžã¯ãŒã¯ããŒãã®ãããã°
ãŸãšã
Docker ã¯ãã»ãã¥ã¢ãªã³ã³ãã³ãïŒDHIïŒ ãš éçºè ã«åªããããŒã«ïŒDocker Scout ã Docker DebugïŒ ãçµã¿åãããããšã§ãSSDLC å šäœã«ã»ãã¥ãªãã£ãçµã¿èŸŒãæ¯æŽãè¡ããŸãã
ãããã®çµ±åã«ãããæ©æŠãçããããããšãªãã»ãã¥ã¢ãªå®è·µãæšé²ã§ãããœãããŠã§ã¢ããªããªãŒã©ã€ããµã€ã¯ã«å šäœã«ããã£ãŠãã³ã³ãã©ã€ã¢ã³ã¹ããµãã©ã€ãã§ãŒã³ã»ãã¥ãªãã£ã容æã«æ¡çšã§ããããã«ãªããŸãã