We are evaluating the migration from RHPAM to IBM BAMOE. Due to security concerns, we want to evaluate the supply chain of the container images found on quay.io. This repository seems to have some elements missing:
How are the images built?
Where is the code for building the images (Dockerfile)? There is a file named ContainerFile in each folder, but it appears to be a copy from somewhere else.
Where are the pipelines? Where is the code for these pipelines (Jenkins files, GitLab, GitHub Actions, etc.)?
It is possible to retrospectively inspect the images from quay.io, but we don’t think that is the way to go in an open-source project. Red Hat explains everything here: Red Hat Software Supply Chain Security.
We are evaluating the migration from RHPAM to IBM BAMOE. Due to security concerns, we want to evaluate the supply chain of the container images found on quay.io. This repository seems to have some elements missing:
It is possible to retrospectively inspect the images from quay.io, but we don’t think that is the way to go in an open-source project. Red Hat explains everything here: Red Hat Software Supply Chain Security.
Thanks for your help.