Once you've created your secure image pipeline, you can automate the workflow of generating signed images anytime you make changes to the source code.
This page explains how to can use the image pipeline to produce secure, attested images.
Before you begin
Using the pipeline
The source code for the base images are in the
repository in the GitHub organization you specified when setting up the secure
image pipeline. To update an image, edit the relevant file in the repository and
send a pull request with the changes to a team member for review. When you create
the pull request, the Cloud Build triggers in
YOUR_PROJECT_NAME-builder builds the updated image and pushes
the image to the Artifact Registry repository in
When a team member has tested and verified the images in
they can approve and merge your pull request. The merge action builds, scans and
attests the images and pushes the images from the staging project to
The following steps describe the developer workflow for using the secure image pipeline:
Go to the baseimgfact-[some number]-containers repository.
Open the folder corresponding to the image you wish to change, for example
Make edits. For example, edit the
Dockerfileto update a container image.
Select Create a new branch for this commit and start a pull request.
Click Propose changes.
In Comment description, enter /gcbrun. This is to make sure only authorized users propose changes to the repository.
Click Create pull request.
When you create a pull request, the build triggers in
YOUR_PROJECT_NAME-builderbuilds your image and pushes the image to
Add a team member to review your pull request.
After manually verifying the image, the team member approves and merges the pull request.
The merge action builds, tests, scans the image for vulnerabilities, and attests the image if it is a container image, and then pushes the image to
Specifying a customized security policy
If you're using the Secure image pipeline to generate and maintain base container images, you can specify a customized security policy against which the image is verified.
YOUR_PROJECT_NAME-stage runs an instance Voucher,
which is an open source tool that runs a suite of checks on container images and
creates Binary Authorization attestations
for the images. When an image in
YOUR_PROJECT_NAME-stage has been manually
verified and a team member merges the pull request in the GitHub container image
repository, Voucher checks the image for vulnerabilities, which are
defined in the Voucher configuration file. After the check completes, if all of
the identified vulnerabilities fall below the threshold, Voucher creates a
Binary Authorization attestation for the image and the image is pushed to
YOUR_PROJECT_NAME-verified. If any of the identified vulnerabilities meet
or exceed the threshold, Voucher does not create an attestation. Without a verified
attestation, the Binary Authorization enforcer disallows the image from being
You can define which checks Voucher runs, along with other criteria, in the Voucher Server configuration file. For instructions on doing this see Build and configure Voucher server.