Cosign: verify base image #1700
Labels
area/behavior
all bugs related to kaniko behavior like running in as root
area/usability
For all bugs related to how people use kaniko, option and feature flags, etc
feat/provenance
kind/feature-request
priority/p2
High impact feature/bug. Will get a lot of users happy
Hello,
We use kaniko and cosign to build/sign our images and I see that Kaniko uses cosign too.
Also cosign is not "integrated" in Kaniko, you use it separatly in your CI.
As kaniko doesn't embed cosign, it will be very helpful if we could, at least, "dump" a kind of depedency images graph with a depth size?
So then we could run
cosign verify
easily to ensure that base images are also signed?From security perspective it will ensure that we don't build a production image based on hijacked image.
It's impossible to guarentee that an image wasn't overrided on registries.
At least with the signature we could verify it and set annotation on signatures to "trace" the build (like pipelines id, git sha etc)
Let me know if i'm not clear.
Thanks!
The text was updated successfully, but these errors were encountered: