If you’re not securing your container images and generating SBOMs (Software Bill of Materials) on a daily basis, you should definitely start. If you’d like to get start easily we offer an open source and free service to the community called CAS, the Community Attestation Service. Once you start securing your images, you’ll probably want to have a shortcut to notarize (aka sign) and authenticate (aka verify) your container. Here’s how you can accomplish that easy via Docker plugins to create a shortcut within the Docker CLI.
Let’s take the WordPress container image as an example – Let’s say we want to set shortcuts like the commands below that link to the Codenotary Attestation Service and the Docker’s CLI:
docker notarize wordpress # notarize the container image using your account (add trust) docker notarizebom wordpress # notarize the container image and SBOM using your account docker untrust wordpress # remove trust from the container image using your account docker auth wordpress # verify the container image trust based on your account
Luckily you can integrate any kind of Shell script into the Docker CLI as a plugin to enhance the functionality.
You can find some sample code in this repository does the job for you:
Make sure you have a Community Attestation Service account and the cas binary in your path.
- Register: https://cas.codenotary.com/
- Download binary: https://github.com/codenotary/cas/releases
- Login into cas: export CAS_API_KEY=<YOURAPIKEY>; cas login
Then just run the following command on your Docker machine (tested on Linux and macOS) to download the scripts into your Docker CLI plugin folder:
mkdir -p ~/.docker/cli-plugins for cmd in docker-auth docker-authbom docker-notarize docker-notarizebom docker-untrust; do curl https://raw.githubusercontent.com/vchaindz/cas-docker-cli-plugins/main/$cmd \ -o ~/.docker/cli-plugins/$cmd && \ chmod +x ~/.docker/cli-plugins/$cmd done
The Docker CLI automatically detects the new plugins and you can run the docker auth or docker notarize commands, adding the container image of your choice.
make sure to log into cas before using the plugins
export CAS_API_KEY=<your API_KEY> cas login
Trust the wordpress container image
docker notarize wordpress
Trust the wordpress container image and its dependencies
docker notarizebom wordpress
Untrust the wordpress container image
docker untrust wordpress
Authenticate the wordpress container image
docker auth wordpress