-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Nic Cheneweth <[email protected]>
- Loading branch information
1 parent
f11cf71
commit b83738b
Showing
1 changed file
with
44 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,45 @@ | ||
| # gha-container-base-image | ||
| <div align="center"> | ||
| <p> | ||
| <img alt="Thoughtworks Logo" src="https://raw.githubusercontent.com/ThoughtWorks-DPS/static/master/thoughtworks_flamingo_wave.png?sanitize=true" width=200 /> | ||
| <br /> | ||
| <img alt="DPS Title" src="https://raw.githubusercontent.com/ThoughtWorks-DPS/static/master/EMPCPlatformStarterKitsImage.png" width=350/> | ||
| </p> | ||
| <h3>PSK Convenience Images</h3> | ||
| <h1>twdps/gha-container-base-image</h1> | ||
| <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/github/license/ThoughtWorks-DPS/gha-container-base-image"></a> | ||
| </div> | ||
| <br /> | ||
|
|
||
| Within most teams or organizations, every job container image will require a certain amount of common configuration regardless of the purpose for which it is built. | ||
|
|
||
| Packages that typically fall into this set of shared executor requirements include things like: | ||
| - tool for accessing secrets (such as Vault, chamber, 1password, teller) | ||
| - standard shell (bash, zsh) | ||
| - multi-language support (locales) | ||
| - common dependencies for installing packages (curl, wget, unzip, common build dependencies) | ||
|
|
||
| The psk gha-container-base-image is an example of such a common base container. You will see the psk specific tools and configuration, but this can readily be adapted to any organizational requirements. | ||
|
|
||
| Build job specific container images starting from the base image. | ||
|
|
||
| See release notes for detailed version information. | ||
|
|
||
| **signature**. Images are signed using `cosign`. You can verify an image using the twdps public key found [here](https://raw.githubusercontent.com/ThoughtWorks-DPS/static/master/cosign.pub). | ||
| ```bash | ||
| cosign verify --key cosign.pub twdps/gha-container-base-image:0.1.0 | ||
| ``` | ||
|
|
||
| **software bill of materials**. For each published image, an SBOM is generated using [syft](https://github.com/anchore/syft) and uploaded to the container registry tagged using the manifest id and .spdx extension. You can pull the sbom using the oras tool as follows: | ||
|
|
||
| fetch image manifest: | ||
| ``` | ||
| docker image inspect --format='{{index .RepoDigests 0}}' twdps/gha-container-base-image:0.1.0 | ||
| ``` | ||
| twdps/gha-container-base-image:0.1.0@sha256:9d8e8eef60900fcf207e3b258b4ce13b4cdb1765f0f7ca3022fd685cd53b8a14 | ||
|
|
||
| download sbom: | ||
| ``` | ||
| oras pull docker.io/twdps/gha-container-base-image:0.1.0:sha256-9d8e8eef60900fcf207e3b258b4ce13b4cdb1765f0f7ca3022fd685cd53b8a14.spdx | ||
| ``` | ||
|
|
||
| Review `.snyk` for current vulnerability status. |