Feature: docker image diff #24
Comments
|
Hey Klavs, Thanks for the great suggestion 👍 Based on the text above:
2.. It would also be interesting to add validation of signatures, if the chart developers have signed their images. Unfortunately this is not the case for a lot of smaller Helm Charts, but should be supported for the ones that do.
Right now i am mostly unclear about which two versions to compare. If Helmper is tasked with importing v0.0.2 of a Helm Chart, we want to do a diff of all images in v0.0.1 to all images in v0.0.2? This could even be controlled through the declarative spec, which version you want to compare to.
|
|
I think we should look into supporting "community signatures" .. so helmper could compare a tag's sha256 vs. "publicly stored" sha256.. that way.. first who sends in a sha256 for an image+tag combination - gets stored in community service - rest - get their sha256 compared to what the first one saw.. and an alert if it has changed. As thats what happens in most supply chain attacks - an existing release is modified.. and such a setup for docker images/charts etc. - would automaticly notice this - also for those that haven't caught onto gpg signing etc. - and even gpg signed ones can be compromised if gpg keys are stolen OR if person is a bad actor (as we recently saw with an compression lib and SSH being compromised). |
|
I'm thinking something already exists for sending in such signatures.. there's several other projects that "do something like this".. I just haven't had the time to research the topic myself yet |
|
I wouldn't mind offering to code and host such a service if nothing exists.. but I would be amazed if it didn't |
a bit of a braindump here - to be restructured :)
It would be really cool if helmper could facilitate showing a diff (output from 'diff -bduNr' current-docker/ new-docker/ - and just export the current and "to be updated to" docker image - so one can see what actual changes are being introduced - and maybe spot "nefarious changes" if they happen in your supply chain.
Same with helm charts.
Often supply chain attacks are not at the code - but at the "mirrors"/repos of libs and dependencies
https://arstechnica.com/information-technology/2020/04/725-bitcoin-stealing-apps-snuck-into-ruby-repository/
Helmper should help identify "unexpected changes".. generally. f.ex. not enough use the sha256 of a docker image - so you could change what a tag points to (simply push to same tag again - as supply chain attack) - and most would download the newimage - as they were not actually pointing to the sha256 of the releasetag - but just the tag.
The text was updated successfully, but these errors were encountered: