Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request to have Pact-Broker Docker Image added to Iron Bank #54

Closed
jhawthor opened this issue Jul 8, 2021 · 4 comments
Closed

Request to have Pact-Broker Docker Image added to Iron Bank #54

jhawthor opened this issue Jul 8, 2021 · 4 comments

Comments

@jhawthor
Copy link

jhawthor commented Jul 8, 2021
edited by mefellows

Request to have Pact-Broker Docker Image added to DoD Iron Bank.

After an email exchange with Matt Fellows, he recommended I make this request to the community on this forum:
I work as a contractor for the Air Force in Cyber Testing. I’m interested in getting the Pact-Broker Docker in Iron Bank so that it can be used in Department of Defense (DoD) software projects from unclassified to classified. However after attending the Iron Bank onboarding, held every Wednesday, I would have to maintain it which is not in my contract. I would like to know if you would be interested in getting the Pact-Broker Docker image into Iron Bank? Iron Bank is a public container hardening process that allows vendors and open source projects to provide hardened software. The link to Iron Bank is listed below.

Basic Information. You will need to register for an account and you do not have to be military or a DoD employee.
https://ironbank.dso.mil/about

Getting Started: Register for an Onboarding Brief. There will be Time to ask questions after the brief. It's 1 hr (30 min brief/30 min questions)
https://p1.dso.mil/#/products/iron-bank/getting-started

Thanks
@mefellows
Copy link
Member

Thanks for raising @jhawthor. As a brief summary, to achieve this there are several important considerations:

  1. A new hardened docker image would need to be created that uses one of the approved Redhat UBIs or distroless image (including following an "internet disconnected build processes")
  2. There would need to be explicit ownership by a community, representing Pact and working closes with the Points of Contact on the Iron Bank side.
  3. We would need to maintain two processes (one for public consumption, and one for the Iron Bank users - @jhawthor please correct me if I'm wrong).

There are upsides of this process (e.g. continuous CVE monitoring and an obviously better security process) but it's something we need to consider carefully, and from the OSS community perspective, we would very much want to have at least 1 (and ideally 2) community member committed to maintaining the process.

Summary checklist on the Iron Bank side.

@bethesque
Copy link
Member

I'm happy to support someone in this work, but I don't have time to pick it up myself. We would need to find someone else to take responsibility for it.

@jhawthor
Copy link
Author

jhawthor commented Jul 19, 2021
edited

@bethesque, I'm very happy to hear that. @mefellows, you are correct with item 3. I thank all of you for your support on this.

@bethesque
Copy link
Member

Closing due to inactivity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mefellows @bethesque @jhawthor