container-source-policy 0.4.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +39 -3
- package/package.json +8 -8
package/README.md
CHANGED
|
@@ -1,8 +1,12 @@
|
|
|
1
1
|
# container-source-policy
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
[](https://codecov.io/gh/tinovyatkin/container-source-policy)
|
|
4
4
|
|
|
5
|
-
|
|
5
|
+
Generate BuildKit **source policies** that make Docker builds reproducible and secure — without modifying your Dockerfiles.
|
|
6
|
+
|
|
7
|
+
- 📌 **Pin** images and URLs to immutable checksums
|
|
8
|
+
- 🛡️ **Harden** builds with [Docker Hardened Images](https://dhi.io) (fewer CVEs, smaller footprint)
|
|
9
|
+
- ✅ **Validate** existing policies against Dockerfiles *(coming soon)*
|
|
6
10
|
|
|
7
11
|
See the [BuildKit documentation on build reproducibility](https://github.com/moby/buildkit/blob/master/docs/build-repro.md) for more details on source policies.
|
|
8
12
|
|
|
@@ -67,6 +71,35 @@ Write directly to a file:
|
|
|
67
71
|
container-source-policy pin --output source-policy.json Dockerfile
|
|
68
72
|
```
|
|
69
73
|
|
|
74
|
+
### Docker Hardened Images (DHI)
|
|
75
|
+
|
|
76
|
+
Use `--prefer-dhi` to pin Docker Hub library images to their [Docker Hardened Images](https://www.docker.com/blog/docker-hardened-images-now-free/) equivalents when available:
|
|
77
|
+
|
|
78
|
+
```bash
|
|
79
|
+
# First, login to dhi.io with your Docker Hub credentials
|
|
80
|
+
docker login dhi.io
|
|
81
|
+
|
|
82
|
+
# Then use --prefer-dhi to prefer hardened images
|
|
83
|
+
container-source-policy pin --prefer-dhi --stdout Dockerfile
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
This converts eligible images (e.g., `alpine:3.21`, `node:22`, `golang:1.23`) to their `dhi.io` equivalents, which are minimal, security-hardened
|
|
87
|
+
versions with fewer vulnerabilities.
|
|
88
|
+
|
|
89
|
+
- Only Docker Hub library images (`alpine`, `node`, `golang`, etc.) are eligible
|
|
90
|
+
- Images not available on dhi.io silently fall back to docker.io
|
|
91
|
+
- Non-library images (`ghcr.io/*`, `docker.io/myorg/*`) are unchanged
|
|
92
|
+
- The policy selector still matches the original reference, so your Dockerfile works unchanged
|
|
93
|
+
|
|
94
|
+
Example output with `--prefer-dhi`:
|
|
95
|
+
|
|
96
|
+
```json
|
|
97
|
+
{
|
|
98
|
+
"selector": { "identifier": "docker-image://golang:1.23" },
|
|
99
|
+
"updates": { "identifier": "docker-image://dhi.io/golang:1.23@sha256:..." }
|
|
100
|
+
}
|
|
101
|
+
```
|
|
102
|
+
|
|
70
103
|
Then pass the policy to BuildKit / Buildx via the environment variable:
|
|
71
104
|
|
|
72
105
|
```bash
|
|
@@ -102,9 +135,11 @@ buildctl build --frontend dockerfile.v0 --local dockerfile=. --local context=. -
|
|
|
102
135
|
- Git URLs (handled separately, see below)
|
|
103
136
|
- Volatile content (emits warning): URLs returning `Cache-Control: no-store`, `no-cache`, `max-age=0`, or expired `Expires` headers
|
|
104
137
|
- Fetches the checksum and emits `CONVERT` rules with `http.checksum` attribute.
|
|
105
|
-
- **Respects `Vary` header**: captures request headers that affect response content (e.g., `User-Agent`, `Accept-Encoding`) and includes them in the
|
|
138
|
+
- **Respects `Vary` header**: captures request headers that affect response content (e.g., `User-Agent`, `Accept-Encoding`) and includes them in the
|
|
139
|
+
policy as `http.header.*` attributes to ensure reproducible builds.
|
|
106
140
|
|
|
107
141
|
**Optimized checksum fetching** — avoids downloading large files when possible:
|
|
142
|
+
|
|
108
143
|
- `raw.githubusercontent.com`: extracts SHA256 from ETag header
|
|
109
144
|
- GitHub releases: uses the API `digest` field (set `GITHUB_TOKEN` for higher rate limits)
|
|
110
145
|
- S3: uses `x-amz-checksum-sha256` response header (by sending `x-amz-checksum-mode: ENABLED`)
|
|
@@ -143,6 +178,7 @@ UPDATE_SNAPS=true go test ./internal/integration/...
|
|
|
143
178
|
- `cmd/container-source-policy/cmd/`: CLI commands (urfave/cli)
|
|
144
179
|
- `internal/dockerfile`: Dockerfile parsing (`FROM` and `ADD` extraction)
|
|
145
180
|
- `internal/registry`: registry client (image digest resolution)
|
|
181
|
+
- `internal/dhi`: Docker Hardened Images reference mapping
|
|
146
182
|
- `internal/http`: HTTP client (URL checksum fetching with optimizations)
|
|
147
183
|
- `internal/git`: Git client (commit SHA resolution via git ls-remote)
|
|
148
184
|
- `internal/policy`: BuildKit source policy types and JSON output
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "container-source-policy",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.5.0",
|
|
4
4
|
"description": "Generate Buildx container source policy file for a given Dockerfile",
|
|
5
5
|
"repository": {
|
|
6
6
|
"type": "git",
|
|
@@ -28,13 +28,13 @@
|
|
|
28
28
|
},
|
|
29
29
|
"homepage": "https://github.com/tinovyatkin/container-source-policy#readme",
|
|
30
30
|
"optionalDependencies": {
|
|
31
|
-
"container-source-policy-darwin-arm64": "0.
|
|
32
|
-
"container-source-policy-darwin-x64": "0.
|
|
33
|
-
"container-source-policy-linux-arm64": "0.
|
|
34
|
-
"container-source-policy-linux-x64": "0.
|
|
35
|
-
"container-source-policy-windows-arm64": "0.
|
|
36
|
-
"container-source-policy-windows-x64": "0.
|
|
37
|
-
"container-source-policy-freebsd-x64": "0.
|
|
31
|
+
"container-source-policy-darwin-arm64": "0.5.0",
|
|
32
|
+
"container-source-policy-darwin-x64": "0.5.0",
|
|
33
|
+
"container-source-policy-linux-arm64": "0.5.0",
|
|
34
|
+
"container-source-policy-linux-x64": "0.5.0",
|
|
35
|
+
"container-source-policy-windows-arm64": "0.5.0",
|
|
36
|
+
"container-source-policy-windows-x64": "0.5.0",
|
|
37
|
+
"container-source-policy-freebsd-x64": "0.5.0"
|
|
38
38
|
},
|
|
39
39
|
"scripts": {
|
|
40
40
|
"postinstall": "node postinstall.js"
|