A verification engine on Kubernetes which enables verification of artifact security metadata and admits for deployment only those that comply with policies you create.
Project Description
Ratify is a workflow engine that coordinates the verification of different supply chain objects for an image as per a given policy. It is a verification framework that can use and coordinate any number of custom verifiers for things like signatures, SBoMs, vulnerability scan results, attestations, and so on. Ratify aggregates the results of these independent verifiers using a policy. This aggregated result can be used to make decisions in the admission controllers.
Org repo URL (provide if all repos under the org are in scope of the application)
[X] If the project is accepted, I agree the project will follow the CNCF IP Policy
Trademark and accounts
[X] If the project is accepted, I agree to donate all project trademarks and accounts to the CNCF
Why CNCF?
Ratify is an open and extensible verification framework for container images and other artifacts that can examine and use custom policies that users create to approve deployments in Kubernetes. We believe CNCF is a neutral home for Ratify because it has a flourish and active community can help the future success of Ratify through the development of third-party integrations.
Benefit to the Landscape
Ratify's mission is to safeguard the container supply chain by ratifying trustworthy and compliant container images and other software artifacts. As a open framework in CNCF security & compliance area, Ratify is designed with different interface models to allow for its integration at different stages of the containers secure supply chain. Ratify has already collaborated and integrated with some CNCF projects and provide joint solutions to CNCF ecosystem users.
Cloud Native 'Fit'
Ratify enables users to verify artifact security metadata (signatures and attestations including vulnerability reports, SBOM, provenance data, and VEX documents) prior to deployment in Kubernetes clusters and admit for deployment only those that comply with an admission policy that users create.
With Ratify, cloud-native workloads can be verifiable on deployment, eventually increase the security posture of cloud-native ecosystem users.
We will create a PR to add Ratify to the CNCF Landscape in April.
Business Product or Service to Project separation
Azure Kubernetes Service has developed a managed addon based on the Ratify project for customers. The development and roadmap of the open-source project and the managed addon have always remained entirely separate, and that will continue to be true going forward.
In addition, Venafi CodeSigning and AWS Signer have related managed services that support Ratify as a verification engine.
Application contact emails
feynmanzhou@microsoft.com, yizha1@microsoft.com, luisdlp@microsoft.com, sajaya@microsoft.com
Project Summary
A verification engine on Kubernetes which enables verification of artifact security metadata and admits for deployment only those that comply with policies you create.
Project Description
Ratify is a workflow engine that coordinates the verification of different supply chain objects for an image as per a given policy. It is a verification framework that can use and coordinate any number of custom verifiers for things like signatures, SBoMs, vulnerability scan results, attestations, and so on. Ratify aggregates the results of these independent verifiers using a policy. This aggregated result can be used to make decisions in the admission controllers.
Org repo URL (provide if all repos under the org are in scope of the application)
https://github.com/deislabs (We are transferring Ratify to a new org https://github.com/ratify-project)
Project repo URL in scope of application
https://github.com/deislabs/ratify
Additional repos in scope of the application
https://github.com/deislabs/ratify-web
Website URL
https://ratify.dev/
Roadmap
https://github.com/deislabs/ratify/blob/staging/ROADMAP.md
Roadmap context
No response
Contributing Guide
https://github.com/deislabs/ratify/blob/staging/CONTRIBUTING.md
Code of Conduct (CoC)
https://github.com/deislabs/ratify/blob/staging/CODE_OF_CONDUCT.md
Adopters
https://github.com/deislabs/ratify/blob/staging/ADOPTERS.md
Contributing or Sponsoring Org
Microsoft
Maintainers file
https://github.com/deislabs/ratify/blob/staging/MAINTAINERS
IP Policy
Trademark and accounts
Why CNCF?
Ratify is an open and extensible verification framework for container images and other artifacts that can examine and use custom policies that users create to approve deployments in Kubernetes. We believe CNCF is a neutral home for Ratify because it has a flourish and active community can help the future success of Ratify through the development of third-party integrations.
Benefit to the Landscape
Ratify's mission is to safeguard the container supply chain by ratifying trustworthy and compliant container images and other software artifacts. As a open framework in CNCF security & compliance area, Ratify is designed with different interface models to allow for its integration at different stages of the containers secure supply chain. Ratify has already collaborated and integrated with some CNCF projects and provide joint solutions to CNCF ecosystem users.
Cloud Native 'Fit'
Ratify enables users to verify artifact security metadata (signatures and attestations including vulnerability reports, SBOM, provenance data, and VEX documents) prior to deployment in Kubernetes clusters and admit for deployment only those that comply with an admission policy that users create.
With Ratify, cloud-native workloads can be verifiable on deployment, eventually increase the security posture of cloud-native ecosystem users.
Cloud Native 'Integration'
Notary Project, OPA Gatekeeper, Trivy (non-CNCF), ORAS, Sigstore Cosign (OpenSSF)
Cloud Native Overlap
To our knowledge, there isn't any direct overlap with other CNCF projects today.
Similar projects
Connaisseur, Kyverno
Landscape
We will create a PR to add Ratify to the CNCF Landscape in April.
Business Product or Service to Project separation
Azure Kubernetes Service has developed a managed addon based on the Ratify project for customers. The development and roadmap of the open-source project and the managed addon have always remained entirely separate, and that will continue to be true going forward.
In addition, Venafi CodeSigning and AWS Signer have related managed services that support Ratify as a verification engine.
Project presentations
We finished a presentation in TAG Security on Apr 24. Here is the Ratify slide deck that we used for CNCF TAG Security Presentation - Ratify.pdf
Project champions
@lachie83
Additional information
No response