Skip to content

๐ŸŽŸ Voucher creates attestations for Binary Authorization

License

Notifications You must be signed in to change notification settings

grafeas/voucher

Tests Go Report Card

voucher

Table of Contents

Introduction

Voucher is the missing piece in the binary authorization toolchain which enables you to secure your software supply pipeline. Binary authorization uses an admission controller such as Kritis, which pulls information about a container image from a metadata server such as Grafeas to ensure that the image is not deployed to production unless it has passed an appropriate suite of checks. As running checks on containers during deployment is time consuming and prevents rapid rollout of changes, the checks the admission controller utilizes to verify an image is ready for production should be run at build time. Voucher does exactly that.

Voucher was designed to be called from your CI/CD pipeline, after an image is built, but before that image is deployed to production. Voucher pulls the newly built image from your image registry; runs it through all of the checks that were requested, and generates attestations for every check that the image passes. Those attestations (OpenPGP signatures of container digests) are then pushed to the metadata server, where Kritis can verify them.

Voucher presently includes the following checks:

Test Name Description
diy Can the image be downloaded from our container registry?
nobody Was the image built to run as a user who is not root?
snakeoil Is the image free of known security issues?
provenance Was the image built by us or a trusted system?
approved Did the source code for the image pass all required checks in the code repository?

As well as the following dynamic check:

Test Name Description
is_<org name> Did the source for this image come from the passed organization (for example, is_shopify)

Note that provenance and the dynamic checks require the prescence of build metadata in your metadata store. While unsigned metadata is valid, to ensure that you are trusting metadata that hasn't been forged, it is recommended that you use signed metadata as well.

Voucher Server, Subscriber, and Client

This repository contains three tools:

  • Voucher Server: intended to run in your infrastructure to respond to CI/CD pipeline requests.
  • Voucher Subscriber: a program that accepts image creation pub/sub messages from GCR, and automatically vouches the images referenced in those messages. This program doesn't respond to any client requests.
  • Voucher Client: an example of a Voucher API client that you can use directly in your CI/CD pipeline or as a basis for your own code. The client connects to a Voucher Server.

Contributing

Please refer to the Contributing document if you are interested in contributing to voucher!

Community

Please join voucher-users for announcements and discussions.

About

๐ŸŽŸ Voucher creates attestations for Binary Authorization

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published

Languages