containrrr / watchtower

A process for automating Docker container base image updates.
https://containrrr.dev/watchtower/
Apache License 2.0
19.81k stars 873 forks source link

cosign support or other methods to verify integrity of container images #1774

Open tob123 opened 1 year ago

tob123 commented 1 year ago

Is your feature request related to a problem? Please describe.

Hi,

The problem I have is that watchtower updates containers that have been built / released onprem (on harbror repositories) and during the process of image updating no signature check is done.

Describe the solution you'd like

I would like watchtower to support checking signatures created by cosign. Cosign supports all container repositories. see alsho here: https://github.com/sigstore/cosign

then, using docker compose based on your example to run multiple instances that would help a lot to start verifying images:

version: '3'

services:
  app-signed:
    image: myapps/some-app
    labels:
      - "com.centurylinklabs.watchtower.scope=signed"
  app:
    image: myapps/some-app-2
    labels:
      - "com.centurylinklabs.watchtower.scope=myscope"

  watchtower-sign:
    image: containrrr/watchtower
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    command: --interval 30 --scope signed
    labels:
      - "com.centurylinklabs.watchtower.scope=signed"
  watchtower:
    image: containrrr/watchtower
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    command: --interval 30 --scope myscope
    labels:
      - "com.centurylinklabs.watchtower.scope=myscope"

source: https://containrrr.dev/watchtower/running-multiple-instances/

Describe alternatives you've considered

I am aware there is docker content trust, but that appears to work only on docker hub (*).

(*) from what i see content trust is enabled on docker official images (for example postgres, mariadb) but many image publishers tend to not sign their image (including watchtower(?)) or there is no support for content trust(?) (google container registry)

Additional context

No response

github-actions[bot] commented 1 year ago

Hi there! 👋🏼 As you're new to this repo, we'd like to suggest that you read our code of conduct as well as our contribution guidelines. Thanks a bunch for opening your first issue! 🙏