惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
News | PayPal Newsroom
Security Archives - TechRepublic
Security Archives - TechRepublic
Hacker News: Ask HN
Hacker News: Ask HN
H
Hacker News: Front Page
Apple Machine Learning Research
Apple Machine Learning Research
TaoSecurity Blog
TaoSecurity Blog
Help Net Security
Help Net Security
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
V
V2EX
Hugging Face - Blog
Hugging Face - Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
人人都是产品经理
人人都是产品经理
博客园 - 三生石上(FineUI控件)
Security Latest
Security Latest
Cloudbric
Cloudbric
WordPress大学
WordPress大学
S
SegmentFault 最新的问题
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Know Your Adversary
Know Your Adversary
A
Arctic Wolf
L
LangChain Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
The GitHub Blog
The GitHub Blog
P
Proofpoint News Feed
W
WeLiveSecurity
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
M
MIT News - Artificial intelligence
Google DeepMind News
Google DeepMind News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
The Cloudflare Blog
小众软件
小众软件
NISL@THU
NISL@THU
云风的 BLOG
云风的 BLOG
P
Privacy & Cybersecurity Law Blog
S
Security @ Cisco Blogs
博客园 - 【当耐特】
I
InfoQ
Vercel News
Vercel News
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
P
Proofpoint News Feed
O
OpenAI News
Google DeepMind News
Google DeepMind News
N
News and Events Feed by Topic
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
K
Kaspersky official blog
T
Threat Research - Cisco Blogs
量子位
宝玉的分享
宝玉的分享

OCI Registry As Storage Blog

🚀 Announcing ORAS v1.3.0 - Elevate your artifact and registry management workflows 🚀 Announcing ORAS v1.3.0-beta.3 - Enrich formatted output of oras discover Announcing ORAS v1.2.0 - OCI Spec v1.1.0 support, formatted output, and more! Lightweight Registry with Oras OCI-Layouts and Object Storage in The Cloud ORAS Welcomes New Owners, Maintainers, and Thanks Emeritus Owners ORAS 0.15 - A Fully Functional OCI Registry Client Bundle, test and deploy Gatekeeper policies as OCI image ORAS - Looking back on 2022 and forward to 2023 ORAS Artifacts Draft Specification Release – Adding Secure Supply Chain Artifacts References
ORAS 0.14 and Future - Empower Container Secure Supply Chain
Feynman Zhou · 2022-09-27 · via OCI Registry As Storage Blog

The OCI Registry As Storage (ORAS) project maintainers announced v0.14 release for the ORAS CLI recently. ORAS v0.14 introduces four new top-level commands and new options to manage supply chain artifacts across different container registries and multi-cloud environments.

What's new in ORAS 0.14

 What's new in ORAS 0.14

Please see the Release Notes for details.

Prior to ORAS CLI v0.14 release, the ORAS Go library, also released v2.0.0-rc.2 to support artifacts-spec v1.0.0-rc.2 and provides new functions to enable developers to build your own OCI client tool.

As cloud native development continues to grow, we have seen increased community interest in evolving registries to natively store, pull, copy, and discover a graph of supply chain artifacts. Artifact references are important for many use cases such as adding Software Bill of Materials (SBOM), security scan results, and container image signatures.

This blog will demonstrate how to use ORAS CLI v0.14 to copy an image from a public registry validated by Microsoft to a private registry, then attach an SBOM to it and discover the reference in a tree graph.

ORAS workflow

Note: we will use MAR (Microsoft Artifact Registry) and ACR (Azure Container Registry) for demonstration purpose only. There will be another blog posts to demonstrate how to use ORAS with Amazon ECR and Google GAR soon.

Install ORAS 0.14

Install the latest release of ORAS on a Linux environment:

curl -LO https://github.com/oras-project/oras/releases/download/v0.14.1/oras_0.14.1_linux_amd64.tar.gz

mkdir -p oras-install/

tar -zxf oras_0.14.1_*.tar.gz -C oras-install/

mv oras-install/oras /usr/local/bin/

rm -rf oras_0.14.1_*.tar.gz oras-install/

Note: You can also refer to the installation guide for other different platforms.

Copy an image from Registry A to Registry B

In this demo, we'll use ORAS to copy the container image from the public MAR registry to my private ACR registry. You can use your preferred container registry with ORAS.

oras copy mcr.microsoft.com/mmlspark/spark2.4:1.0.0 feynmanacr.azurecr.io/mmlspark/spark2.4:1.0.0

An SBOM creates a machine-readable inventory of the software components that make up a given software product. Generating SBOM is a first step in Supply Chain Security.

You can use Docker SBOM or SBOM Tool to generate a SBOM for the target image.

SBOM Tool can be used to create SPDX 2.2 compatible SBOMs for any variety of artifacts. In this demo, we use SBOM Tool to create SPDX 2.2 compatible SBOM for the sample Spark image.

Install the SBOM Tool within a Linux environment:

curl -Lo sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64

chmod +x sbom-tool

Generate a SBOM for the Spark image stored in ACR:

sbom-tool generate -di feynmanacr.azurecr.io/mmlspark/spark2.4:1.0.0 \

-b ./foo \

-pn bar \

-pv 0.1 \

-bc ./foo \

-ps MyCompany \

-nsb http://mycompany.com

Then it will create a SBOM manifest.spdx.json in foo/_manifest/spdx_2.2.

Attach the SBOM to this image

Next, let's attach the generate SBOM to this Spark image stored in ACR:

$ oras attach feynmanacr.azurecr.io/mmlspark/spark2.4:1.0.0 foo/_manifest/spdx_2.2/manifest.spdx.json --artifact-type example/sbom

Uploading 97a5dc071dd1 manifest.spdx.json

Uploaded 97a5dc071dd1 manifest.spdx.json

Attached to feynmanacr.azurecr.io/mmlspark/spark2.4:1.0.0

Digest: sha256:7592c8026675e463e7ced9b7ed369c2962b354a69b842423e8ctestdigest

View the graph of artifacts

A linked graph of supply chain artifacts can be viewed through the ORAS discovery command:

$ oras discover feynmanacr.azurecr.io/mmlspark/spark2.4:1.0.0

Discovered 1 artifacts referencing feynmanacr.azurecr.io/mmlspark/spark2.4:1.0.0

Digest: sha256:28de427f1df8cdb99bc98536b489d75cc496a2d37c3b9266248etestdigest

Artifact Type Digest

example/sbom sha256:7592c8026675e463e7ced9b7ed369c2962b354a69b842423e8ctestdigest

ORAS Present and Future

ORAS has been integrated and adopted by some industry-leading ISVs and projects, such as soci-snapshotter by AWS, KubeApps by VMware Tanzu, UOR Framework by Red Hat etc.

ORAS 0.15 and future milestones will provide more capabilities to easily manage OCI content and interact with registries. It will empower the container secure supply chain and focus on the following areas:

  • Be able to manage repository, tag, manifest, and blob
  • Support and migrate to OCI reference types
  • Support push/pull artifacts from OCI Image Layout
  • E2E testing

See the ORAS Roadmap for more details.

The ORAS Project was accepted in June 2021 as a Cloud Native Computing Foundation (CNCF) Sandbox project. It is important that we hear from the community as we advance the artifact-spec capability; if you maintain or are implementing a container registry, we are particularly interested in your feedback. Working together, we can improve supply chain artifact security in the cloud native ecosystem.