-
Notifications
You must be signed in to change notification settings - Fork 483
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: use chainguard's static (distroless v2) for scorecard image #2593
Conversation
4c282d2
to
8ddc121
Compare
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #2593 +/- ##
=======================================
Coverage 40.40% 40.40%
=======================================
Files 122 122
Lines 9908 9908
=======================================
Hits 4003 4003
Misses 5624 5624
Partials 281 281 |
8ddc121
to
6f3a417
Compare
I marked it as |
6f3a417
to
9a739fb
Compare
9a739fb
to
5916325
Compare
Integration tests success for |
5916325
to
cbe7a6e
Compare
Integration tests success for |
Dockerfile
Outdated
FROM gcr.io/distroless/base:nonroot@sha256:99133cb0878bb1f84d1753957c6fd4b84f006f2798535de22ebf7ba170bbf434 | ||
# https://github.com/chainguard-images/images/tree/main/images/static | ||
# latest | ||
FROM cgr.dev/chainguard/static@sha256:b25ab001448354017969e5abe42496fb107d759d429e69ef69b7da45f0e6cf0e |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please share the advantages of each option so we can compare them. Thank you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One of the utmost essential advantages of using Chainguard's images is that they shipped with both SBOM and SLSA Attestation, making them transparent from an end-user perspective. Also, they have zero CVEs if we compare them with Google's distroless as it has built on top of apk/wolfi packages. Also, it comes with fewer packages included in an image. But as I'm not the project's maintainer, I will ping some maintainers to get more opinions about comparing the two. PTAL @rawlingsj @imjasonh
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@developer-guy Thanks for the update!
@laurentsimon @spencerschrock I am OK with this change. Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Skimmed https://edu.chainguard.dev/chainguard/chainguard-images/faq/ and https://github.com/chainguard-images/images/tree/main/images/static:
The main difference is in the implementation. The Google distroless images are built with Bazel and based on the Debian distribution, whereas Chainguard Images are built with apko based on the Wolfi or Alpine distributions.
Just to add to the attestation differences mentioned above.
The image has a single user nonroot with uid 65532, belonging to gid 65532.
This should be fine here for this scorecard image. The scorecard-action however needs root (which is another Dockerfile in another repo, so that would be an adoption blocker there.
Note: there are other Dockerfiles in this repo, that would be good to have everything on the same page eventually. It might make sense to update the cron images after that pipeline is restored. There's also the attestor images, @raghavkaul do you see this change impacting that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would recommend that we upgrade one of them and then move it across to cron.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there are other Dockerfiles in this repo, that would be good to have everything on the same page eventually.
Yep, this is the reason why I marked that issue as WIP
😇
Dockerfile
Outdated
FROM gcr.io/distroless/base:nonroot@sha256:99133cb0878bb1f84d1753957c6fd4b84f006f2798535de22ebf7ba170bbf434 | ||
# https://github.com/chainguard-images/images/tree/main/images/static | ||
# latest | ||
FROM cgr.dev/chainguard/static@sha256:b25ab001448354017969e5abe42496fb107d759d429e69ef69b7da45f0e6cf0e |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might be worth adding a tag here according to #2581. Seems like there are nightly updates, so we would just need to throttle update frequency based on our dependabot settings
Something like this perhaps?
FROM cgr.dev/chainguard/static:latest@sha256:b25ab001448354017969e5abe42496fb107d759d429e69ef69b7da45f0e6cf0e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
of course!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've also updated the digest of the static image of Chainguard that was built a day ago.
cbe7a6e
to
9c4b595
Compare
Integration tests success for |
Stale pull request message |
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
9c4b595
to
0a36fa1
Compare
Kindly ping @spencerschrock @naveensrinivasan, folx, do you want me to continue to replace the base images with the chainguard ones? |
I don't see why not? @spencerschrock Thoughts? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi folks, sorry for the late reply here. @developer-guy thanks for the PR, but IMO Scorecard should continue using Distroless for the following reasons -
- while there is benefit of having SLSA and SBOM attestations, I would prefer to continue using Distroless images since they see more wider community usage and have been time-tested for longer.
- regarding num_vulns - I believe we are comparing
distroless/base
tocgr/static
. If there is no reason for us to depend ondistroless/base
, we could very well move todistroless/static
which should have a lower num_vulns.
To be honest, @azeemshaikh38, there are still differences between the distroless/static and Chainguard's static.
|
Stale pull request message |
any updates on this ? |
Stale pull request message |
I'm still willing to do this folx |
kindly ping @azeemshaikh38 @naveensrinivasan |
Stale pull request message |
I'm still waiting for your comments to make it done 😇 |
Stale pull request message |
kindly ping 🙉 |
@developer-guy sorry for the late reply here. My preference is a no to this change for the reason that distroless is an industry standard compared to cgr. If a majority of @ossf/scorecard-maintainers feel differently and would like to move to cgr image instead, I'd be ok with it too. @naveensrinivasan @spencerschrock @laurentsimon @raghavkaul fyi. If there is no response from any of the Scorecard maintainers here, I will close this PR to reduce our PR queue. |
Stale pull request message |
@developer-guy Thanks! For now, we are going to close this. We can relook at this later. |
Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com
What kind of change does this PR introduce?
This feature is about using the chainguard's static image instead of Google's static. I removed a few things from Dockerfile to simplify the process, as I saw that we don't need them.
What is the current behavior?
What is the new behavior (if this is a feature change)?**
Which issue(s) this PR fixes
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note
(In particular, describe what changes users might need to make in their
application as a result of this pull request.)