OSCAL icon indicating copy to clipboard operation
OSCAL copied to clipboard

Published 20 hours ago verified publisher icon usnistgov

Build and Publish Docker Image for NIST and Community Developers

Open ohsh6o opened this issue 3 years ago • 3 comments

User Story:

As an OSCAL developer, in order to more consistently develop OSCAL artifacts like the build process and fellow NIST OSCAL developers, I would like NIST OSCAL developers to publish an official container image for all developers.

Goals:

  • Consistent development approaches in and outside the NIST team.
  • Minimize time spent on development environments.

Dependencies:

  • Understanding of what image publication services are permitted and recommended for use by the NIST OSCAL development team.

Acceptance Criteria

  • [ ] All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
  • [ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • [ ] The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

{The items above are general acceptance criteria for all User Stories. Please describe anything else that must be completed for this issue to be considered resolved.}

ohsh6o avatar Aug 12 '21 16:08 ohsh6o

Since @ohsh6o is inactive, I want to pick this up and work on it now!

xee5ch avatar Nov 08 '21 16:11 xee5ch

From previous conversation, it seems we should consider signing the images. The GitHub Container Registry (ghcr.io) will support Docker Content Trust and Notary Version 2 signatures. Generally popular, and not endorsed by GitHub itself, is the use of the cosign utility. cosign supports both PIV-based hardware tokens and discrete certificate/keypairs generated by the tool itself. There are pluses and minuses to each, given the conversation before. Will have to experiment with either approach, and brief David to decide which is the ideal.

  • https://github.blog/2021-12-06-safeguard-container-signing-capability-actions/
  • https://garantir.io/secure-container-signing-with-cosign-and-pkcs11/
  • https://github.com/sigstore/cosign/blob/8db51b75192ca1f86674875be12763f90a818819/TOKENS.md
  • https://github.com/sigstore/cosign/blob/8db51b75192ca1f86674875be12763f90a818819/KMS.md
  • https://github.com/sigstore/cosign/blob/8db51b75192ca1f86674875be12763f90a818819/KEYLESS.md

xee5ch avatar Mar 10 '22 02:03 xee5ch

Investigating a viable signing approach will take a bit more time. Moving this to the 1.1.0 release.

david-waltermire avatar Mar 10 '22 19:03 david-waltermire

Closing, thankfully our build process has been simplified and a Docker image with specific dependencies pre-installed is no longer necessary.

nikitawootten-nist avatar Aug 24 '23 18:08 nikitawootten-nist