Docker Build attestations

[omidasadpour]

📚 Context

Problem:

Currently, there is a lack of visibility into the build process and contents of Docker images used in the project. This makes it challenging to assess the security risks associated with using open source and third-party packages.

Relevance:

With the widespread use of open source and third-party packages, ensuring the security and integrity of the images we use is crucial for maintaining the security of our project. By implementing attestation in the Docker building process, we can enhance transparency and make informed decisions about the images we use.

Benefits:

• Enhanced supply chain security: Attestations provide visibility into the build process and contents of Docker images, enabling us to assess and mitigate security risks.
• Compliance and auditability: Attestations serve as a record of how images were built, aiding in compliance with security standards and regulations.
• Informed decision-making: With attestation, we can make informed decisions about the images we use, based on their provenance and contents.

✔️ Solution

Implement attestation in the Docker building process to generate build attestations, including Software Bill of Material (SBOM) and Provenance.

📈 Subtasks

Use existing Bake files to implement attestation in the Docker workflows:

• [ ] Implement Software Bill of Material (SBOM) --> list of software artifacts that an image contains, or that were used to build the image.
• [ ] Implement Provenance --> how an image was built.

[omidasadpour]

Useful resources : https://github.com/actions/attest-sbom