slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

[question] how OCI Image Layout fits into this concept?

Open developer-guy opened this issue 1 year ago • 2 comments

Is your feature request related to a problem? Please describe. No, this is not a feature request related to a problem.

Describe the solution you'd like

I'd like to highlight some of the scenarios where the OCI Image Layout comes in handy. I've also written a blog post series about that (shameless plug). The idea behind using OCI Image Layout is that you might be running an air-gapped environment where making additional network requests between your host and container registries are problematic. In such environments, relying on disk operations is a preferable way to build OCI images, this is where OCI Image Layout comes into the picture. OCI Image Layout allows you to do this. You can build your container image and save the output (.tar) to the disk in the form of OCI Image Layout then you can use registry client tooling such as regctl, crane, etc. to do file operations (i.e adding/updating a new layer, mutating config, updating the manifest/index, adding signatures/SBOMs/provenances) to avoiding having network connections with container registries. At the end of the file operations, you can push the whole thing at once which is super cool!

So, here is the question? How the slsa-github-generator fits into this use case? Because once the image is built locally you won't have the digest until the image is pushed to a container registry, but if you generate the provenance and add it as a new layer to the image once the image is built, you will have the wrong sha256-subjects. Because the final image will get some modifications, so, the image you pushed at the end of the modifications is not the same image you built first.

I'm not sure I can explain the scenario clearly but here is an example of using slsa-github-generator with an example of OCI Image Layout:

https://github.com/developer-guy/demo-gha-with-oci-layout/blob/main/.github/workflows/docker.yml#L155

I'm waiting for your comments, thanks in advance. I'd like to ping some other folx who are the experts about OCI I believe: @sudo-bmitch @imjasonh

developer-guy avatar May 07 '23 14:05 developer-guy

kindly ping @dentrax

developer-guy avatar May 08 '23 09:05 developer-guy

I'm still interested in discussing more on this subject, any help would be appreciated, kindly ping folks

developer-guy avatar Aug 06 '23 13:08 developer-guy