{"id":20155270,"url":"https://github.com/redhat-cop/image-scanning-signing-service","last_synced_at":"2025-04-09T22:02:44.775Z","repository":{"id":56233353,"uuid":"121777692","full_name":"redhat-cop/image-scanning-signing-service","owner":"redhat-cop","description":"Image Signing and Scanning as a Service","archived":false,"fork":false,"pushed_at":"2020-11-19T06:29:38.000Z","size":29047,"stargazers_count":36,"open_issues_count":15,"forks_count":21,"subscribers_count":13,"default_branch":"master","last_synced_at":"2025-04-09T22:02:39.389Z","etag":null,"topics":["container-cop"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/redhat-cop.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-02-16T17:11:28.000Z","updated_at":"2024-10-04T12:12:37.000Z","dependencies_parsed_at":"2022-08-15T15:10:22.182Z","dependency_job_id":null,"html_url":"https://github.com/redhat-cop/image-scanning-signing-service","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-cop%2Fimage-scanning-signing-service","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-cop%2Fimage-scanning-signing-service/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-cop%2Fimage-scanning-signing-service/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-cop%2Fimage-scanning-signing-service/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/redhat-cop","download_url":"https://codeload.github.com/redhat-cop/image-scanning-signing-service/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248119296,"owners_count":21050755,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["container-cop"],"created_at":"2024-11-13T23:31:11.780Z","updated_at":"2025-04-09T22:02:44.747Z","avatar_url":"https://github.com/redhat-cop.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"Image Signing Operator\n========================================\n\n_This repository is currently undergoing active development. Functionality may be in flux_\n\n## Install Operator\n\n### Create Namespace\n```\n$ oc new-project image-management\n```\n\n### Install CRD and Resources\n```\n$ oc apply -f deploy/crds/imagesigningrequests.cop.redhat.com_imagesigningrequests_crd.yaml\n$ oc apply -f deploy/service_account.yaml\n$ oc apply -f deploy/role.yaml\n$ oc apply -f deploy/role_binding.yaml\n$ oc apply -f deploy/scc.yaml\n$ oc apply -f deploy/secret.yaml\n```\n\n### Deploy \nApply the operator to the image-management namespace\n```\n$ oc apply -f deploy/operator.yaml\n```\n\n## Registry Types\nThis operator supports a wide range of registry types when declaring an image to sign. The type and location of the image to sign are found within the `containerImage` attribute of the `ImageSigningRequest` CR.\n\n### Container Repository\nTraditional format for utalizing a remote container, either by specifying a tag or digest. These are of kind `ContainerRepository` under the `containerImage` attribute.\n\n#### Tag\n```\ncontainerImage:\n  kind: ContainerRepository\n  name: quay.io/redhat-cop/image-scanning-signing-service:latest\n```\n#### Digest\n```\ncontainerImage:\n  kind: ContainerRepository\n  name: quay.io/redhat-cop/image-scanning-signing-service\u0026sha256:a47ae897b964f1e543452c31a24bbd3d46ed5830f4a6d9992be97d0ce61ceb6b\n```\n\n### ImageStreamTag (OpenShift)\nSepcify an OCP `ImageStream` along with the corresponding tag of the desired image to sign. These are of kind `ImageStreamTag` under the `containerImage` attribute.\n\n```\ncontainerImage:\n  kind: ImageStreamTag\n  name: image-scanning-signing-service:latest\n```\n\n## Pull Secrets\nA pull secret can be included in the `ImageSigningRequest` for when needing to access a private repository to sign images.\n\n```\nspec:\n  containerImage:\n    kind: ContainerRepository\n    name: quay.io/redhat-cop/image-scanning-signing-service:latest\n  pullSecret\n    name: quay\n```\n\n### Creating Pull Secret (OpenShift)\nThere are two options to create the secret needed for accessing a private repository.\n\n#### Existing Docker Config File\nIf using docker login locally you can use your existing config.json file to create a secret with your tokens needed for remote login. \n\n\u003e :warning: **Security Risk**: This will upload the tokens for all remote repositories that you have logged into locally.\n\n```\n oc secrets new \u003cpull_secret_name\u003e \\\n     .dockerconfigjson=path/to/.docker/config.json\n```\n\n#### Existing Docker Config File\nCreate a new secret by including your repository's credentials within the oc cli secrets command.\n\n```\noc secrets new-dockercfg \u003cpull_secret_name\u003e \\\n    --docker-server=\u003cregistry_server\u003e --docker-username=\u003cuser_name\u003e \\\n    --docker-password=\u003cpassword\u003e --docker-email=\u003cemail\u003e\n```\n\n## Example Workflow (OpenShift)\n\nTo facilitate Image Signing, the image signer makes use of a `ImageSigningRequest` Custom Resource Definition which allows users to declare their intent to have an image signed. This section will walk through the process of signing an image after a new image has been built.\n\nOpenShift provides a number of quickstart templates. One of these templates contains a simple .NET Core web application application. This is an ideal use case to showcase image signing in action.\nBuild an Application\n\nFirst, create a new project called dotnet-example\n\n```$ oc new-project dotnet-example```\n\nInstantiate the dotnet-example template within the project using the default values specified in the template\n\n```$ oc new-app --template=dotnet-example```\n\n### Declare an Intent to Sign the Image\n\nTo declare your intent to sign the previously built image, a new `ImageSigningRequest` can be created within the project. A typical request is shown below\n\n```\napiVersion: imagesigningrequests.cop.redhat.com/v1alpha1\nkind: ImageSigningRequest\nmetadata:\n  name: dotnet-app\nspec:\n  containerImage:\n    kind: ImageStreamTag\n    name: dotnet-example:latest\n```\n\nThe above example can be applied to the cluster by running\n\n``` $ oc apply -f deploy/examples/imagestreamtag.yaml ```\n\nThe signing pod will launch in the `image-management` namespace and handle the signing of the specified image. the `ImageSigningRequest` in the `dotnet-example` namespace will be updated and contain the name of the signed image in the Status section. Confirm this by running \n\n``` $ oc get imagesigningrequest/dotnet-app -o yaml ```\n\nFinally, the newly created Image will contain the signatures associated with the signing action. This can be confirmed by running the following command:\n\n```\n$ oc get image $(oc get imagesigningrequest dotnet-app --template='{{ .status.signedImage }}') -o yaml\n```\n\n## Development\n### [How-To](docs/development.md)\n### [Testing](docs/testing.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredhat-cop%2Fimage-scanning-signing-service","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fredhat-cop%2Fimage-scanning-signing-service","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredhat-cop%2Fimage-scanning-signing-service/lists"}