Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign Docker image with Cosign #8391

Open
1 task done
explsd opened this issue Mar 9, 2024 · 0 comments
Open
1 task done

Sign Docker image with Cosign #8391

explsd opened this issue Mar 9, 2024 · 0 comments
Labels
Docker enhancement

Comments

@explsd
Copy link

explsd commented Mar 9, 2024
edited

Is your feature request related to a problem? Please describe.

In order to secure the supply chain, cluster operators are starting to use tools like Ratify to verify images used on their clusters.

Describe the solution you'd like

In order to the ZAP container image to be able to pass signature verification, the docker images should be signed. This can simply be done using Cosign and keyless signing during the build of the image in GitHub Actions.

Describe alternatives you've considered

The image could also be signed using a private key, but it would take additional work to manage that private key.

Screenshots

cosign
ratify

Additional context

No response

Would you like to help fix this issue?

  • Yes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Docker enhancement
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thc202 @explsd