Open afeld opened 3 years ago
The GSA Container Security Benchmark may be useful here.
I've found this article useful as a possible way forward https://github.com/microsoft/containerregistry https://azure.microsoft.com/en-us/blog/microsoft-syndicates-container-catalog/
New problem here: Free teams in DockerHub are now limited to three users. Getting this error when trying to manage users:
10 of 3 seats filled
I highly recommend that we look into partner with Platform One who is doing Container registry.
On Mon, Mar 29, 2021 at 12:18 PM Aidan Feldman @.***> wrote:
New problem here: Free teams in DockerHub are now limited to three users. Getting this error when trying to manage users:
10 of 3 seats filled
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/18F/tts-tech-portfolio/issues/983#issuecomment-809516800, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHPQBHVVDBNLRMXAVA24VZDTGCR3LANCNFSM4TQAKJCA .
@ManojChalise mentioned that GSA IT's DevSecOps Tiger Team is working on a centralized registry for GSA, which presumably/hopefully we can leverage. He said he'll send me whatever documentation/plans he can, and keep us updated.
Connect with Devtools
Background Information
Per https://github.com/18F/tts-tech-portfolio-private/issues/947#issuecomment-706273874, "DockerHub…will not be providing any security information nor do they seem to do security in the way we'd like." Not a great situation. Options:
Probably worth doing some threat modeling to make sure everyone's on the same page about what we are protecting ourselves against.
TTS isn't the only part of GSA using containers, so we should see what's being done in GSA IT, FAS Cloud Services, etc.
Implementation Steps
Acceptance Criteria