Feature request: Grafeas-like metadata API
We are in the process of developing a PaaS for NASA // JSC, with fully integrated DevOps powered by GitLab. We are quite pleased with GitLab overall. However, despite many of the individual pieces already being in place around container security (static analysis, scanning, dependency auditing), the existing solution(s) do not expose themselves in a super meaningful or useful way.
With that said, I wanted to document our need for a "software artifact metadata management" service. At its core, this service would be a store for associating arbitrary notes and metadata with a container image as it flows through various stages of the DevOps lifecycle. In addition to storing results from the container auditing mechanisms GitLab CI/CD already supports out of the box, this API could fulfill a much broader set of use-cases. For example:
- define global policies (i.e. scan vulnerabilities, require health checks, white/blacklist ports/packages, etc) to certify images for use by your organization
- automatically attempt to certify any image published to the GL registry
- ability to manually certify images from third-party registries
- insight into dependencies (i.e. search for containers referencing particular versions of gems/node_modules)
- integration with k8's ImagePolicyWebhook to prevent uncertified images from being deployed in production
- if the image has already been certified, return result, otherwise kick off a runner job to certify it
- on pull from the GL registry, generate an audit trail of who pulled the image into what cluster/VM
We think having a solution like this baked into the existing GitLab registry would be a huge value-add to all customers, but especially to enterprises where some level of authoritative container image signing is a requirement for production deployments.
Note: the API server that powers the SaaS offering (Anchore Cloud),
anchore-engine, is open source and probably a good starting point. The only big piece this solution lacks is an audit trail for certain events like a
DEPLOYMENT (from the Grafeas spec).
Somewhat related to #47998.