[Sandbox] Ratify - Githubissues

Application contact emails

feynmanzhou@microsoft.com, yizha1@microsoft.com, luisdlp@microsoft.com, sajaya@microsoft.com

Project Summary

A verification engine on Kubernetes which enables verification of artifact security metadata and admits for deployment only those that comply with policies you create.

Project Description

Ratify is a workflow engine that coordinates the verification of different supply chain objects for an image as per a given policy. It is a verification framework that can use and coordinate any number of custom verifiers for things like signatures, SBoMs, vulnerability scan results, attestations, and so on. Ratify aggregates the results of these independent verifiers using a policy. This aggregated result can be used to make decisions in the admission controllers.

Org repo URL (provide if all repos under the org are in scope of the application)

https://github.com/deislabs (We are transferring Ratify to a new org https://github.com/ratify-project)

Roadmap context

No response

Contributing Guide

https://github.com/deislabs/ratify/blob/staging/CONTRIBUTING.md

Code of Conduct (CoC)

https://github.com/deislabs/ratify/blob/staging/CODE_OF_CONDUCT.md

Adopters

https://github.com/deislabs/ratify/blob/staging/ADOPTERS.md

Contributing or Sponsoring Org

Microsoft

Maintainers file

https://github.com/deislabs/ratify/blob/staging/MAINTAINERS

IP Policy

[X] If the project is accepted, I agree the project will follow the CNCF IP Policy

Trademark and accounts

[X] If the project is accepted, I agree to donate all project trademarks and accounts to the CNCF

Why CNCF?

Ratify is an open and extensible verification framework for container images and other artifacts that can examine and use custom policies that users create to approve deployments in Kubernetes. We believe CNCF is a neutral home for Ratify because it has a flourish and active community can help the future success of Ratify through the development of third-party integrations.

Benefit to the Landscape

Ratify's mission is to safeguard the container supply chain by ratifying trustworthy and compliant container images and other software artifacts. As a open framework in CNCF security & compliance area, Ratify is designed with different interface models to allow for its integration at different stages of the containers secure supply chain. Ratify has already collaborated and integrated with some CNCF projects and provide joint solutions to CNCF ecosystem users.

Cloud Native 'Fit'

Ratify enables users to verify artifact security metadata (signatures and attestations including vulnerability reports, SBOM, provenance data, and VEX documents) prior to deployment in Kubernetes clusters and admit for deployment only those that comply with an admission policy that users create.

With Ratify, cloud-native workloads can be verifiable on deployment, eventually increase the security posture of cloud-native ecosystem users.

Cloud Native 'Integration'

Notary Project, OPA Gatekeeper, Trivy (non-CNCF), ORAS, Sigstore Cosign (OpenSSF)

Cloud Native Overlap

To our knowledge, there isn't any direct overlap with other CNCF projects today.

Similar projects

Connaisseur, Kyverno

Landscape

We will create a PR to add Ratify to the CNCF Landscape in April.

Business Product or Service to Project separation

Azure Kubernetes Service has developed a managed addon based on the Ratify project for customers. The development and roadmap of the open-source project and the managed addon have always remained entirely separate, and that will continue to be true going forward.

In addition, Venafi CodeSigning and AWS Signer have related managed services that support Ratify as a verification engine.

Project presentations

We finished a presentation in TAG Security on Apr 24. Here is the Ratify slide deck that we used for CNCF TAG Security Presentation - Ratify.pdf

Project champions

@lachie83

Additional information