[Security] Is it time to sign the Docker images ?? #1783
Replies: 6 comments
-
You can find examples on https://github.com/sudo-bot/action-docker-sign#inspect-trust |
Beta Was this translation helpful? Give feedback.
-
As our images are getting built automatically by Docker Hub's infrastructure, enabling this would imply giving them the private signing key directly, so would this add any extra security in that case? |
Beta Was this translation helpful? Give feedback.
-
Well, the auto-builds are not possible anymore with that option. The repository would need to build the images :/ |
Beta Was this translation helpful? Give feedback.
-
Switching to Images build with GitHub actions using a named env with run approvers seems to be the solution to make the secrets protected :) |
Beta Was this translation helpful? Give feedback.
-
Do you think this could get implemented ? |
Beta Was this translation helpful? Give feedback.
-
I'm going to move this to the discussions under |
Beta Was this translation helpful? Give feedback.
-
Subject of the issue
Docker images when signed are more "secure" in the case of a security event because a non signed image could not be pulled if the previous one was signed.
Deployment environment
Docker
Steps to reproduce
Expected behaviour
Have a signed image I can trust
Actual behaviour
No signed image
Troubleshooting data
All needed information can be found in official docs and in the GitHub action: https://github.com/sudo-bot/action-docker-sign
All the needed commands can be copied from https://github.com/sudo-bot/action-docker-sign/blob/main/action.yml
Is it easy to implement: Yes
Do you have to backup in a very safe place the repository and root keys, YES !!
Knowing nothing about DCT I implemented a GitHub action in a bunch of hours, I can provide help for the setup if needed
Beta Was this translation helpful? Give feedback.
All reactions