Cosign: verify base image #1700
Labels
area/behavior
all bugs related to kaniko behavior like running in as root
area/usability
For all bugs related to how people use kaniko, option and feature flags, etc
feat/provenance
kind/feature-request
priority/p2
High impact feature/bug. Will get a lot of users happy
Comments
|
This would be another use case for sigstore/cosign#666 |
|
I too want If a workflow could verify and resolve a Dockerfile, then what's handed to I opened the issue Jason linked based on discussion that ensued around similar aims in So big +1 from me, and I'd be happy to discuss more stuff in this vein. |
aaron-prindle
added
kind/feature-request
feat/provenance
priority/p2
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
We use kaniko and cosign to build/sign our images and I see that Kaniko uses cosign too.
Also cosign is not "integrated" in Kaniko, you use it separatly in your CI.
As kaniko doesn't embed cosign, it will be very helpful if we could, at least, "dump" a kind of depedency images graph with a depth size?
So then we could run
cosign verifyeasily to ensure that base images are also signed?From security perspective it will ensure that we don't build a production image based on hijacked image.
It's impossible to guarentee that an image wasn't overrided on registries.
At least with the signature we could verify it and set annotation on signatures to "trace" the build (like pipelines id, git sha etc)
Let me know if i'm not clear.
Thanks!
The text was updated successfully, but these errors were encountered: