Draft: Wolfi based image builds
What does this MR do?
I've been working on some wolfi image builds in my spare time as a hedge against other options. Here are the results so far:
- 0 CVEs
- 30-80% reduction in total image sizes
- produces multi-arch images targeting
x86_64
andaarm64
- SBOMs generated and attached to each image
- all images (and SBOMs) signed with cosign
- super simple pipeline definition (no multi-phase builds, no caching, no artifacts). entire thing is 60 LOC standalone: https://gitlab.com/marshall007/CNG/-/blob/wolfi/.gitlab/ci/wolfi.gitlab-ci.yml#L46-105
results for registry.gitlab.com/gitlab-org/build/cng/gitaly:master-fips
tag:
- Total CVEs: 83 (UNKNOWN: 0, LOW: 51, MEDIUM: 32, HIGH: 0, CRITICAL: 0)
- Total Image size: 906 MB
- Signed: no
- Build Provenance: no
- SBOM: no
results for registry.gitlab.com/marshall007/cng/wolfi/gitaly:latest
tag (my fork):
- Total CVEs: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
- Total Image size: 654 MB
- Signed: yes
- Build Provenance: yes
- SBOM: yes
anyone should be able to verify these results with the following commands:
$ trivy image registry.gitlab.com/marshall007/cng/wolfi/gitaly:latest
2023-07-19T21:37:29.982-0400 INFO Vulnerability scanning is enabled
2023-07-19T21:37:29.982-0400 INFO Secret scanning is enabled
2023-07-19T21:37:29.982-0400 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-19T21:37:29.982-0400 INFO Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection
2023-07-19T21:37:31.235-0400 WARN Invalid Version Found : OS alpine, Package gitaly, Version 16.2.0-rc4-r0
2023-07-19T21:37:37.089-0400 INFO Detected OS: wolfi
2023-07-19T21:37:37.089-0400 INFO Detecting Wolfi vulnerabilities...
2023-07-19T21:37:37.090-0400 INFO Number of language-specific files: 0
registry.gitlab.com/marshall007/cng/wolfi/gitaly:latest (wolfi 20230201)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
$ cosign verify registry.gitlab.com/marshall007/cng/wolfi/gitaly:latest \
--certificate-oidc-issuer=https://gitlab.com \
--certificate-identity=https://gitlab.com/marshall007/CNG//.gitlab-ci.yml@refs/heads/wolfi
Verification for registry.gitlab.com/marshall007/cng/wolfi/gitaly:latest --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
cosign download sbom registry.gitlab.com/marshall007/cng/wolfi/gitaly:latest
Related issues
- Use cosign to sign CNG images (#467 - closed)
- Support multiple architecture build for CNG images (gitlab-org/charts/gitlab#2899 - closed)
- CNG: Use alternative build tools (gitlab-org/charts/gitlab#1743)
- https://gitlab.com/gitlab-org/build/CNG/-/issues/463+
- CNG: Distinguish between Asset and Runtime images (gitlab-org/charts/gitlab#4217)
- CNG: Use smaller base images (#34)
- CNG: Use Distroless base image (gitlab-org/charts/gitlab#1741)
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion
Required
-
Merge Request Title, and Description are up to date, accurate, and descriptive -
MR targeting the appropriate branch -
MR has a green pipeline on GitLab.com -
When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow
Expected (please provide an explanation if not completing)
-
Test plan indicating conditions for success has been posted and passes -
Documentation created/updated -
Integration tests added to GitLab QA -
The impact any change in container size has should be evaluated -
New dependencies are managed with dependencies.io
Edited by Marshall Cottrell