Using the secure image pipeline

Once you've created your secure image pipeline, you can automate the workflow of generating signed images anytime you make changes to the source code.

This page explains how to can use the image pipeline to produce secure, attested images.

Before you begin

Create the secure image pipeline and become familiar with the resources created by the pipeline.

Using the pipeline

The source code for the base images are in the baseimgfct-[some number]-containers repository in the GitHub organization you specified when setting up the secure image pipeline. To update an image, edit the relevant file in the repository and send a pull request with the changes to a team member for review. When you create the pull request, the Cloud Build triggers in YOUR_PROJECT_NAME-builder builds the updated image and pushes the image to the Artifact Registry repository in YOUR_PROJECT_NAME-stage.

When a team member has tested and verified the images in YOUR_PROJECT_NAME-stage, they can approve and merge your pull request. The merge action builds, scans and attests the images and pushes the images from the staging project to YOUR_PROJECT_NAME-verified.

The following steps describe the developer workflow for using the secure image pipeline:

  1. Go to the baseimgfact-[some number]-containers repository.

  2. Open the folder corresponding to the image you wish to change, for example ubuntu_18_0_4.

  3. Make edits. For example, edit the Dockerfile to update a container image.

  4. Select Create a new branch for this commit and start a pull request.

  5. Click Propose changes.

  6. In Comment description, enter /gcbrun. This is to make sure only authorized users propose changes to the repository.

  7. Click Create pull request.

    When you create a pull request, the build triggers in YOUR_PROJECT_NAME-builder builds your image and pushes the image to YOUR_PROJECT_NAME-stage.

  8. Add a team member to review your pull request.

  9. After manually verifying the image, the team member approves and merges the pull request.

    The merge action builds, tests, scans the image for vulnerabilities, and attests the image if it is a container image, and then pushes the image to YOUR_PROJECT_NAME-verified.

Specifying a customized security policy

If you're using the Secure image pipeline to generate and maintain base container images, you can specify a customized security policy against which the image is verified.

YOUR_PROJECT_NAME-stage runs an instance Voucher, which is an open source tool that runs a suite of checks on container images and creates Binary Authorization attestations for the images. When an image in YOUR_PROJECT_NAME-stage has been manually verified and a team member merges the pull request in the GitHub container image repository, Voucher checks the image for vulnerabilities, which are defined in the Voucher configuration file. After the check completes, if all of the identified vulnerabilities fall below the threshold, Voucher creates a Binary Authorization attestation for the image and the image is pushed to YOUR_PROJECT_NAME-verified. If any of the identified vulnerabilities meet or exceed the threshold, Voucher does not create an attestation. Without a verified attestation, the Binary Authorization enforcer disallows the image from being pushed to YOUR_PROJECT_NAME-verified.

You can define which checks Voucher runs, along with other criteria, in the Voucher Server configuration file. For instructions on doing this see Build and configure Voucher server.