cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

What are you wondering about?

Open zfLQ2qx2 opened this issue 3 years ago • 2 comments

Question

There was brief mention of using co-sign to ensure an authorized base image was used, can anyone give some detail?

I used to have content trust enabled but when Dockerhub started rate limiting I put in a proxy w/ S3 cache, and using the proxy seemed to break content trust so I had to disable it.

I would love to be able to add a check to my ci/cd pipelines to ensure that the base image came from a trusted set, and that the image produced was signed by an authorized key before I deploy the container.

zfLQ2qx2 avatar May 15 '22 17:05 zfLQ2qx2

There's cosign dockerfile verify which parses a given Dockerfile for base image references (and intermediate build stage images), and ensures the referenced image(s) are signed. Is that what you were looking for?

imjasonh avatar May 17 '22 17:05 imjasonh

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Aug 19 '22 02:08 github-actions[bot]

This issue was closed because it has been stalled for 5 days with no activity.

github-actions[bot] avatar Aug 25 '22 02:08 github-actions[bot]