aquasecurity/manifesto aquasecurity/manifesto

  • Stars
    star
    165
  • Rank 220,878 (Top 5 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created almost 8 years ago
  • Updated over 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
aquasecurity/manifesto
github

aquasecurity

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Use Manifesto to store and query metadata for container images.

manifesto

Manifesto lets users store and query metadata for Docker images. This metadata can be information that you want to store about an image post-build - where labels are not sufficient.

Build Status

Use cases

  • Managing QA approval status After an image has been built, it needs to go through various testing and approval processes before your organization is ready to use it in production. Keep track of approval status, and who has given sign-off by storing it alongside the image itself.
  • Storing security profiles for an image Manifesto makes it easy to associate a Seccomp or AppArmor profile with an image, so that you can automatically retrieve the correct profile at the point you want to run a container.
  • Storing vulnerability scan reports Images should be scanned regularly for vulnerabilities as new ones may be found in existing code. Manifesto enables storing the latest scan report for an image without modifying the image itself.
  • Support contacts Store the phone number or Slack channel to contact in the event this container image starts causing problems in your live deployment. Update these details without needing to update the image.
  • Tracking active images With CI/CD it's easy to end up with hundreds of thousands of container images in your registry. Use manifesto to store whether an image is actively being used in production - or to indicate the images that can safely be pruned.

The intention is that each piece of metadata could be signed using Notary. This means you can reliably get back the most recent version of that piece of metadata and know that it was put in place by someone with the authority to do so.

At the moment this is a Proof of Concept - feedback and ideas very welcome.

Demo

asciicast

Installation

We automatically build binary executables for Mac, Linux and Windows, or you can rebuild from source. Whichever approach you take, you'll also need to set up credentials - see below.

Installing binaries

Download the latest binary for your platform from the releases tab and unzip it.

You may find it easiest to move the binary into your path once you have downloaded it. For example

$ wget https://github.com/aquasecurity/manifesto/releases/download/<release tag>/manifesto-darwin-amd64.tar.gz
$ tar xf manifesto-darwin-amd64.tar.gz
$ cp bin/darwin/amd64/manifesto /us/local/bin

Building from source

  • Clone this repo (or go get github.com/aquasecurity/manifesto)
  • Go to the directory and go build .

Set up credentials

In this release you will need to be logged in to the Docker Registry - do this with docker login. This means that manifesto can execute docker commands directly.

In addition, since we are now using the Registry API directly to store and retrieve metadata in blobs, you need to pass in your username and password to manifesto itself. You can do this with the command line, environment variables REGISTRY_USERNAME and REGISTRY_PASSWORD, or by responding to prompts.

Usage

$ ./manifesto --help
Store, retrieve and list pieces of metadata alongside your container images in the registry.
Metadata is associated with specific images (by hash).

Usage:
  manifesto [command]

Available Commands:
  get         Show metadata for the container image
  help        Help about any command
  list        List currently stored metadata for the container image
  put         Put metadata for the container image

Flags:
  -h, --help              help for manifesto
  -p, --password string   Registry password (can also be passed in with the env var REGISTRY_PASSWORD)
  -u, --username string   Registry username (can also be passed in with the env var REGISTRY_USERNAME)
  -v, --verbose           Send debug output to stderr

Use "manifesto [command] --help" for more information about a command.

By default (like Docker images) manifesto assumes the 'latest' tag if a tag is not given.

Example

$ ./manifesto put myorg/imagetest something ~/temp.json
Storing metadata 'something' for 'myorg/imagetest:latest'
Metadata 'something' for 'myorg/imagetest:latest' stored at sha256:7be34480285971f16eed284b13fa7d417649f18c7d1af9b2de6970ce99e3cbbd
Updating manifesto for myorg/imagetest
Replacing 'something' metadata in manifesto for 'myorg/imagetest:latest'

$ ./manifesto list myorg/imagetest
Metadata types stored for image 'myorg/imagetest:latest':
    something

$ ./manifesto get myorg/imagetest something
{
  "key" : "value",
  "createdBy" : "liz",
  "number" : 56
}

Proof of concept status

In this proof of concept:

  • we store arbitrary metadata within the Docker registry
  • we store a "manifesto" for the repository with the fixed tag "_manifesto"
  • the manifesto is a json file with references to all the metadata stored for this repository

Manifesto is stored as an image, which references the data blobs for individual pieces of metadata

Note - use of image tags in this prototype

In v 0.0.1 the metadata was stored as separate images, tagged as _manifesto_metadata-type. This allowed us to build the initial prototype very easily, but it meant there were additional repository tags for each piece of metadata, which seems undesirable.

In this version we use the Registry API to store metadata directly in blobs, as shown in the diagram above. This will mean there will just be one additional tag in the repository, _manifesto.

Can I store metadata for any image?

As the metadata is stored in the same repository as the image itself, you can only store metadata for images you own. You could of course save a copy of a third-party image in your own repository, and store metadata alongside it.

How is this better than labels pointing to some arbitrary location where information is stored?

Putting metadata into the registry itself allows us to leverage both existing technology and existing infrastructure. An organisation that stores images in its own on-premise registry can simply store metadata in it, and if they are using Notary again they can simply re-use the same deployment. The signing of metadata uses exactly the same process as the signing of images, so any existing audits and controls can be re-used.

Manifesto data

The manifesto associated with a repository is built using a Dockerfile like this:

FROM scratch
ADD <filename> /data

Where contains all the metadata references for this repository. An example might look like this:

{
	"images": [{
		"image_digest": "70d2f067eb94ec8ab0530068a414d8dbe8c203244ae5d5ad4ba6eb1babd1c1c1",
		"manifesto": [{
				"type": "seccomp",
				"digest": "sha256:a2fe22a6d44aa86432adad99481c3ad526ba35af2223df126620d20e38c70fac"
			},
			{
				"type": "approvals",
				"digest": "sha256:6ced8eb4e6a61639601e7073963ec04a80f70a11442157e1dd825f042879a6da"
			},
			{
				"type": "contact",
				"digest": "sha256:e896a0012a3450d9cef7e040eea8bed3fe06188957439fea501a65b62c65b4f1"
			}
		]
	}, 
    {
		"image_digest": "51d2f067eb94ec8ab0531987a414d8dbe8c203244ae5d5ad4ba6eb1babd1d54a",
		"manifesto": [{
				"type": "seccomp",
				"digest": "sha256:b2f72296d04ea36435adae99481c3ad526ba35af2223df126620d20e38c9763c"
			},
			{
				"type": "documentation",
				"digest": "sha256:9ce18eb4e6a66639601e7073963ec04aa0f70a11442157e1d9825f042879abb1"
			}
		]
    }]
}

The type of each piece of metadata is simply an arbitrary string to identify that type of data. One possibility is to use standardized names (possibly as defined in the OCI image spec or similar) for the type to indicate that the associated data blob contains JSON in a standardized format (such as the vulnerability scanning report format).

Wait - in Docker, it's tags that get signed in Notary. Why is metadata associated with image digests?

When you pull a Docker image tagged, say, 1.4 you'll get whatever the latest signed version tagged 1.4 is. The tag can move between different images (i.e. with different digests) as updates are made, for example to update from 1.4.3 to 1.4.4.

For many types of image metadata (e.g. approval status, vulnerability scan report), a piece of metadata must be associated with a particular build i.e. identified by the digest.

When metadata is added, if signing is enabled the metadata blob gets signed in Notary, as does the manifesto with the references to the metadata blobs.

To Do's

  • Add data signing capabilities and verification with Notary.
  • Code currently execs out to the docker client executable - would be better to use the go client and call the API directly.
  • You need to enter your Docker Hub username and password to put metadata (or pass them in as env vars or parameters). Other commands currently exec out to docker, which means an existing docker login is sufficient for the credentials. It would be better to be consistent, and even better if there were a way of using the credentials from that docker login

More Repositories

1

trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Go
21,358
star
2

tfsec

Security scanner for your Terraform code
Go
6,557
star
3

kube-bench

Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
Go
5,935
star
4

kube-hunter

Hunt for security weaknesses in Kubernetes clusters
Python
4,588
star
5

tracee

Linux Runtime Security and Forensics using eBPF
Go
3,255
star
6

cloudsploit

Cloud Security Posture Management (CSPM)
JavaScript
3,145
star
7

starboard

Moved to https://github.com/aquasecurity/trivy-operator
Go
1,344
star
8

trivy-operator

Kubernetes-native security toolkit
Go
1,041
star
9

microscanner

Scan your container images for package vulnerabilities with Aqua Security
Dockerfile
856
star
10

kubectl-who-can

Show who has RBAC permissions to perform actions on different resources in Kubernetes
Go
793
star
11

chain-bench

An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
Go
699
star
12

trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Shell
683
star
13

cloud-security-remediation-guides

Security Remediation Guides
679
star
14

libbpfgo

eBPF library for Go. Powered by libbpf.
Go
670
star
15

vuln-list

NVD, Ubuntu, Alpine
396
star
16

btfhub

BTFhub, in collaboration with the BTFhub Archive repository, supplies BTF files for all published kernels that lack native support for embedded BTF. This joint effort ensures that even kernels without built-in BTF support can effectively leverage the benefits of eBPF programs, promoting compatibility across various kernel versions.
Go
329
star
17

esquery

An idiomatic Go query builder for ElasticSearch
Go
294
star
18

kube-query

[EXPERIMENTAL] Extend osquery to report on Kubernetes
Go
220
star
19

defsec

Trivy's misconfiguration scanning engine
Go
206
star
20

trivy-db

Go
202
star
21

fanal

Static Analysis Library for Containers
Go
201
star
22

postee

Simple message routing system that receives input messages through a webhook interface and can enforce actions using predefined outputs via integrations.
Go
201
star
23

harbor-scanner-trivy

Use Trivy as a plug-in vulnerability scanner in the Harbor registry
Go
198
star
24

docker-bench

Checks whether Docker is deployed according to security best practices as defined in the CIS Docker Benchmark
Go
179
star
25

cloudsec-icons

A collection of cloud security icons ☁️🔒
Go
178
star
26

vuln-list-update

Go
161
star
27

tfsec-pr-commenter-action

Add comments to pull requests where tfsec checks have failed
Go
160
star
28

linux-bench

Checks whether a Linux server according to security best practices as defined in the CIS Distribution-Independent Linux Benchmark
Go
145
star
29

go-dep-parser

Dependency Parser for Multiple Programming Languages
Go
143
star
30

lmdrouter

Go HTTP router library for AWS API Gateway-invoked Lambda Functions
Go
133
star
31

appshield

Security configuration checks for popular cloud native applications and infrastructure.
Open Policy Agent
118
star
32

starboard-lens-extension

Lens extension for viewing Starboard security information
TypeScript
114
star
33

trivy-vscode-extension

A VS Code Extension for Trivy
TypeScript
102
star
34

btfhub-archive

The BTFhub Archive repository provides BTF files for those published kernels that lack native support for embedded BTF, thereby enhancing the versatility of eBPF programs across different kernel versions.
82
star
35

aqua-helm

Helm Charts For Installing Aqua Security Components
Mustache
82
star
36

table

🧮 Tables for terminals, in Go.
Go
64
star
37

tracee-action

Protect GitHub Actions with Tracee
Open Policy Agent
60
star
38

cfsec

Static analysis for CloudFormation templates to identify common misconfiguration
Go
58
star
39

starboard-octant-plugin

Octant plugin for viewing Starboard security information
Go
57
star
40

deployments

All Aqua deployments options and aquactl configuration
Shell
52
star
41

tfsec-sarif-action

Shell
51
star
42

tfsec-action

Vanilla GitHub action to run tfsec
Shell
48
star
43

trivy-azure-pipelines-task

An Azure Pipelines Task for trivy
TypeScript
40
star
44

community

Aqua Security's open source community
37
star
45

harbor-scanner-aqua

Aqua Enterprise scanner as a plug-in vulnerability scanner in the Harbor registry
Go
33
star
46

go-version

A Go library for parsing and verifying versions and version constraints.
Go
32
star
47

aqua-operator

The aqua-operator is a group of controllers that runs within a Kubernetes or Openshift cluster that provides a means to deploy and manage Aqua Security cluster and Components.
Go
32
star
48

trivy-operator-lens-extension

https://github.com/aquasecurity/trivy-operator
TypeScript
31
star
49

vscode-tfsec

vscode extension for tfsec
TypeScript
31
star
50

terraform-provider-aquasec

Go
30
star
51

trivy-java-db

Go
25
star
52

trivy-kubernetes

Trivy kubernetes library
Go
25
star
53

trivy-plugin-kubectl

A Trivy plugin that scans the images of a kubernetes resource
Shell
23
star
54

trivy-checks

Go
20
star
55

trivy-plugin-referrer

Trivy plugin for OCI referrers
Go
20
star
56

trivy-enforcer

[EXPERIMENTAL] Kubernetes Operator for Image Assurance
Go
20
star
57

chain-bench-action

Shell
19
star
58

aqua-aws

The repository not supported any more. Please use this one https://github.com/aquasecurity/deployments
HCL
18
star
59

trivy-docker-extension

Docker Desktop Extension for Trivy
TypeScript
18
star
60

starboard-operator

The Starboard Operator has moved to the main Starboard repo, and this one is being retired
Go
16
star
61

saas-terraform-connection

Terraform modules for CloudSploit Scanner
HCL
14
star
62

trivy-ci-test

Dockerfile
14
star
63

saas-api-samples

Sample code snippets for consuming the CloudSploit API
JavaScript
13
star
64

circleci-orb-microscanner

Enables scanning of docker builds in CircleCi for OS package vulnerabilities.
Dockerfile
13
star
65

trivy-pipe

Bitbucket Pipe for running Trivy in a Pipeline
Shell
13
star
66

windows-bench

Checks whether a Windows server according to security best practices as defined in the CIS Distribution-Independent Windows Benchmark
Go
13
star
67

vim-tfsec

List your tfsec issues in the QuickFix window with this plugin.
Vim Script
12
star
68

helm-charts

Aqua Open Source Helm Chart Repository
12
star
69

vim-trivy

Vim Plugin for Trivy
Vim Script
12
star
70

trivy-plugin-aqua

Makefile
11
star
71

binfinder

Find binary files not installed through package manager
Go
11
star
72

tracee-tester

This is a spin-off from Tracee project responsible for generating the docker image that tests open-source signatures.
Shell
10
star
73

gobard

Unofficial Golang API for Bard Chat.
Go
9
star
74

trivy-sarif-demo

JavaScript
9
star
75

go-git-pr-commenter

library for adding comments to git PRs
Go
9
star
76

cloud-metadata

Common metadata repository for CSPM and TFSec checks
Go
9
star
77

tracee-test-kernels

Kernels for testing tracee CO-RE feature
C
9
star
78

bench-common

Common code for hardening benchmarks
Go
9
star
79

aws-security-hub-plugin

Aqua Security AWS Security Hub plugin
9
star
80

trivy-repo

deb/rpm repository for Trivy
8
star
81

aqua-dash

Sample Aqua CSP dashboard
Vue
8
star
82

scan-cve-2018-8115

Python
7
star
83

pipeline-enforcer-action

TypeScript
7
star
84

intellij-trivy

Trivy Plugin for the JetBrains family of IDEs
Java
7
star
85

go-pep440-version

A golang library for parsing PEP 440 compliant Python versions
Go
7
star
86

build-security-action

GitHub Action for Aqua Build Security
Shell
7
star
87

go-npm-version

A golang library for parsing npm versions
Go
6
star
88

amazon-eks-devsecops

PHP
6
star
89

trivy-plugin-attest

Publish SBOM attestation
Go
6
star
90

tfsec-azure-pipelines-task

An Azure DevOps Task for tfsec
TypeScript
6
star
91

trivy-iac

Go
5
star
92

trivy-module-wordpress

Trivy example module for WordPress
Go
5
star
93

saas-integrations

CloudSploit third-party integrations
JavaScript
5
star
94

reportgen

PDF reports for Aqua CSP image and host vulnerabilities
Go
5
star
95

avd-generator

Generator component for AVD
CSS
5
star
96

testdocker

Test utilities for Docker Engine/Registry
Go
5
star
97

secfixes-tracker

Forked from https://gitlab.alpinelinux.org/kaniini/secfixes-tracker
Python
5
star
98

starboard-aqua-csp-webhook

The image scan results webhook configurable in Aqua CSP management console to integrate with the Starboard tool kit.
Go
5
star
99

trivy-test-images

Test images for Trivy
Shell
4
star
100

homebrew-trivy

Ruby
4
star