https://github.com/nwtgck/docker-repository
π‘οΈSecure Automated-Build Docker Repository: Proof of integrity by CI
https://github.com/nwtgck/docker-repository
auto-build automation docker registry safety security
Last synced: 3 months ago
JSON representation
π‘οΈSecure Automated-Build Docker Repository: Proof of integrity by CI
- Host: GitHub
- URL: https://github.com/nwtgck/docker-repository
- Owner: nwtgck
- License: mit
- Created: 2019-03-27T11:30:20.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2019-03-28T05:59:13.000Z (over 7 years ago)
- Last Synced: 2024-10-11T15:11:26.542Z (almost 2 years ago)
- Topics: auto-build, automation, docker, registry, safety, security
- Language: Ruby
- Homepage:
- Size: 13.7 KB
- Stars: 0
- Watchers: 3
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# docker-repository
[](https://travis-ci.com/nwtgck/docker-repository)
Automated-Build Docker Repository for Security
## Purpose
**Guarantee that Docker images are built definitely by a trusted third party**.
Even if someone enable Docker automation-build, the owners can push Docker Hub from their local machine. So, someone bad guy can push malicious images.
This repository guarantees the images are completely built in Travis CI, and the image tar files are published to GitHub Releases.
For proof of integrity, SHA256 of tar files are calculated.
You can **verify SHA256 in Travis CI output and downloaded files**. This ensures that your files should be built on Travis CI, and the build formula, Dockerfile and build script, "build.bash" are public without malicious code on GitHub.
## Example Release
Here is an [example release].
You can verify SHA256 on [the Travis job corresponding to the release](https://travis-ci.com/nwtgck/docker-repository/jobs/188383303) and ones of your downloaded files.
## How to get Docker image
Here is an example to load Docker image.
```bash
# Download
wget https://github.com/nwtgck/docker-repository/releases/....../myimage.tar
# Load
docker load < myimage.tar
```
Then, `docker images` should output loaded image.
You can calculate SHA256 by `shasum -a myimage.tar`.
## Structure
Here is the project structure.
* Each repository must be under `./repos` directory.
* Each repository must have `build.bash`.
* The `build.bash` must create `./dist` directory.
* The `./dist` should have files of Docker image tar files.
```txt
repos/
βββ hogeuser1
β βββ mydockerimage1
β β βββ build.bash
β βββ mydockerimage2
β βββ build.bash
β βββ myasset1.txt
βββ hogeuser2
β βββ mydockerimage1
β βββ build.bash
βββ ...
```
## How to trigger Docker build
Special commit message triggers Docker build.
For example, commit message, `"#[nwtgck/piping-server] Bump up to 0.9.2"` triggers `bash repos/nwtgck/piping-server/build.bash`.
After build in Travis CI, the image will be available in GitHub Releases like an [example release].
The format is like `#[myimage_name]`. `repos/myname` should exists in this repo. The commit message should contain one `#[myimage_name]` because too much image build consume a lot of time.
[example release]: https://github.com/nwtgck/docker-repository/releases/tag/image%2Fnwtgck%2Fpiping-server%2F2019-03-28T05-53-02Z