image-spec icon indicating copy to clipboard operation
image-spec copied to clipboard
verified publisher icon opencontainers

Proposal: Adding security information like in security.txt

Open pstoeckle opened this issue 4 months ago • 5 comments

Proposal

Add annotations, e.g.,

  • org.opencontainers.security.contact: A link or e-mail address for people to contact you about security issues.
  • org.opencontainers.security.encryption: A link to a key which security researchers should use to securely talk to you.

User Stories

  • As a security researcher, I want to know how to contact the image maintainer about security issues.
  • As a security researcher, I want to know how to securely communicate with the image maintainer

Background

For websites, there is security.txt (https://securitytxt.org/) and the corresponding RFC 9116 (https://datatracker.ietf.org/doc/html/rfc9116). One could transfer this idea to container images.

pstoeckle avatar Sep 03 '25 19:09 pstoeckle

Rather than recreating the security.txt in annotations, I'd prefer a single annotation (org.opencontainers.image.security) with a URL to the project's security.txt.

sudo-bmitch avatar Sep 03 '25 19:09 sudo-bmitch

Rather than recreating the security.txt in annotations, I'd prefer a single annotation (org.opencontainers.image.security) with a URL to the project's security.txt.

This would also be good 👍

pstoeckle avatar Sep 04 '25 07:09 pstoeckle

FWIW, Brandon put up a strawman at #1284

tianon avatar Sep 05 '25 02:09 tianon

gh repo clone acepsodiq/acepsodiq

mansoorali24202-source avatar Oct 05 '25 01:10 mansoorali24202-source

Image

sepetnanang127-tech avatar Oct 21 '25 19:10 sepetnanang127-tech