Once you've created your secure image pipeline, you can automate the workflow of generating signed images anytime you make changes to the source code.
This page explains how to can use the image pipeline to produce secure, attested images.
Before you begin
Create the secure image pipeline and become familiar with the resources created by the pipeline.
Using the pipeline
The source code for the base images are in the baseimgfct-[some number]-containers
repository in the GitHub organization you specified when setting up the secure
image pipeline. To update an image, edit the relevant file in the repository and
send a pull request with the changes to a team member for review. When you create
the pull request, the Cloud Build triggers in
YOUR_PROJECT_NAME-builder
builds the updated image and pushes
the image to the Artifact Registry repository in YOUR_PROJECT_NAME-stage
.
When a team member has tested and verified the images in YOUR_PROJECT_NAME-stage
,
they can approve and merge your pull request. The merge action builds, scans and
attests the images and pushes the images from the staging project to
YOUR_PROJECT_NAME-verified
.
The following steps describe the developer workflow for using the secure image pipeline:
Go to the baseimgfact-[some number]-containers repository.
Open the folder corresponding to the image you wish to change, for example
ubuntu_18_0_4
.Make edits. For example, edit the
Dockerfile
to update a container image.Select Create a new branch for this commit and start a pull request.
Click Propose changes.
In Comment description, enter /gcbrun. This is to make sure only authorized users propose changes to the repository.
Click Create pull request.
When you create a pull request, the build triggers in
YOUR_PROJECT_NAME-builder
builds your image and pushes the image toYOUR_PROJECT_NAME-stage
.Add a team member to review your pull request.
After manually verifying the image, the team member approves and merges the pull request.
The merge action builds, tests, scans the image for vulnerabilities, and attests the image if it is a container image, and then pushes the image to
YOUR_PROJECT_NAME-verified
.
Specifying a customized security policy
If you're using the Secure image pipeline to generate and maintain base container images, you can specify a customized security policy against which the image is verified.
YOUR_PROJECT_NAME-stage
runs an instance Voucher,
which is an open source tool that runs a suite of checks on container images and
creates Binary Authorization attestations
for the images. When an image in YOUR_PROJECT_NAME-stage
has been manually
verified and a team member merges the pull request in the GitHub container image
repository, Voucher checks the image for vulnerabilities, which are
defined in the Voucher configuration file. After the check completes, if all of
the identified vulnerabilities fall below the threshold, Voucher creates a
Binary Authorization attestation for the image and the image is pushed to
YOUR_PROJECT_NAME-verified
. If any of the identified vulnerabilities meet
or exceed the threshold, Voucher does not create an attestation. Without a verified
attestation, the Binary Authorization enforcer disallows the image from being
pushed to YOUR_PROJECT_NAME-verified
.
You can define which checks Voucher runs, along with other criteria, in the Voucher Server configuration file. For instructions on doing this see Build and configure Voucher server.