ChristofferNissen
commented
4 months ago Hey Klavs, Thanks for the great suggestion 👍
Based on the text above:
- I will first of all look into if we can always verify the SHA on pull
2.. It would also be interesting to add validation of signatures, if the chart developers have signed their images. Unfortunately this is not the case for a lot of smaller Helm Charts, but should be supported for the ones that do.
- Then we need to figure out a PoC of how to come up with a general approach to diff the two images in Golang - a quick search i found this which looks promising https://github.com/sergi/go-diff.
Right now i am mostly unclear about which two versions to compare. If Helmper is tasked with importing v0.0.2 of a Helm Chart, we want to do a diff of all images in v0.0.1 to all images in v0.0.2? This could even be controlled through the declarative spec, which version you want to compare to.
- Oh, and I first need to add the feature to export to filesystem instead of pushing to registries 😄
KlavsKlavsen
a bit of a braindump here - to be restructured :)
It would be really cool if helmper could facilitate showing a diff (output from 'diff -bduNr' current-docker/ new-docker/ - and just export the current and "to be updated to" docker image - so one can see what actual changes are being introduced - and maybe spot "nefarious changes" if they happen in your supply chain. Same with helm charts.
Often supply chain attacks are not at the code - but at the "mirrors"/repos of libs and dependencies https://arstechnica.com/information-technology/2020/04/725-bitcoin-stealing-apps-snuck-into-ruby-repository/
Helmper should help identify "unexpected changes".. generally. f.ex. not enough use the sha256 of a docker image - so you could change what a tag points to (simply push to same tag again - as supply chain attack) - and most would download the newimage - as they were not actually pointing to the sha256 of the releasetag - but just the tag.