Tag: container registries
-
Promoting Container Images from Quarantine Using GitHub Actions
A few days ago, I posted about Mirroring Container Images from Public Registries Using GitHub Actions, which is one of the first thing you need to think about when securing the supply chain for containers and cloud-native artifacts. The next step is to validate those artifacts before promoting them for internal use. As explained in that…
-
Mirroring Container Images from Public Registries Using GitHub Actions
While working on my vibe coding project to implement containers’ supply chain workflows system, I decided to also replicate the experience that many enterprises currently have and implement the workflows using traditional CI/CD tools. As part of that I will also walk through the common scenarios for containers’ supply chain security. One of the common…
-
Why Supply Chain Security Belongs in Your Registry, Not Your CI/CD?
For the past five years, I’ve worked on supply chain security for containers and cloud-native workloads, and I’ve had the same conversation with security-conscious enterprises over and over. They don’t want their developers – or, now, their AI agents – pulling insecure images directly from public registries. Over those conversations, several clear patterns for securing the…
-
Authenticating with OCI Registries – GitHub Container Registry (GHCR) Implementation
Update 2024-03-04: Below, I mention that GHCR does not return proper scope in the www-authenticate header, which is not correct. GHCR returns the hint repository:user/image:pull only if no real repository is requested (e.g. for the /v2/ and _catalog endpoints). If I request an existing repository (e.g. toddysm/python) the scope is properly set as repository:toddysm/python:pull in…
-
Authenticating with OCI Registries – Docker Hub Implementation
Update 2024-02-03: I just learned this week that index.docker.io is another DNS used for access to the Docker Hub registry. The behavior of index.docker.io is the same as registry-1.docker.io, so no changes to the commands are added. The list of DNS names is updated in the post below. As part of my role in the…
-
Using OCI Annotation to Track Container Image Lifecycle
For a while, we’ve been exploring the idea of using OCI annotations to track the lifecycle of container images. The problem we are trying to solve is as follows. Container images are immutable and cannot be dynamically patched like virtual machines. To apply the latest updates to a containerized application, teams must produce a new…
-
OCI Artifact Manifests, OCI Referrers API and Their Support Across Registries (Part 1)
[UPDATE: 2023-03-26] When I wrote this post, the expectation was that OCI will release version 1.1 of the specification with artifact manifest included. This release was supposed to happen by end of Jan 2023 or mid Feb 2023. Unfortunately, the OCI 1.1 Image Spec PR 999 put a hold on that and as of today,…