WIP: use chainguard's static (distroless v2) for scorecard image #2593
Conversation
developer-guy
requested review from
azeemshaikh38,
justaugustus,
laurentsimon,
naveensrinivasan and
spencerschrock
as code owners
developer-guy
had a problem deploying
to
integration-test
GitHub Actions
Failure
developer-guy
force-pushed
the
feature/chainguard-images
branch
from
4c282d2
to
8ddc121
Compare
developer-guy
had a problem deploying
to
integration-test
GitHub Actions
Failure
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #2593 +/- ##
=======================================
Coverage 40.40% 40.40%
=======================================
Files 122 122
Lines 9908 9908
=======================================
Hits 4003 4003
Misses 5624 5624
Partials 281 281 |
developer-guy
force-pushed
the
feature/chainguard-images
branch
from
8ddc121
to
6f3a417
Compare
developer-guy
had a problem deploying
to
integration-test
GitHub Actions
Failure
|
I marked it as |
developer-guy
force-pushed
the
feature/chainguard-images
branch
from
6f3a417
to
9a739fb
Compare
developer-guy
had a problem deploying
to
integration-test
GitHub Actions
Failure
developer-guy
force-pushed
the
feature/chainguard-images
branch
from
9a739fb
to
5916325
Compare
developer-guy
temporarily deployed
to
integration-test
GitHub Actions
Inactive
|
Integration tests success for |
developer-guy
force-pushed
the
feature/chainguard-images
branch
from
5916325
to
cbe7a6e
Compare
developer-guy
temporarily deployed
to
integration-test
GitHub Actions
Inactive
|
Integration tests success for |
Dockerfile
Outdated
| FROM gcr.io/distroless/base:nonroot@sha256:99133cb0878bb1f84d1753957c6fd4b84f006f2798535de22ebf7ba170bbf434 | ||
| # https://github.com/chainguard-images/images/tree/main/images/static | ||
| # latest | ||
| FROM cgr.dev/chainguard/static@sha256:b25ab001448354017969e5abe42496fb107d759d429e69ef69b7da45f0e6cf0e |
There was a problem hiding this comment.
Please share the advantages of each option so we can compare them. Thank you!
There was a problem hiding this comment.
One of the utmost essential advantages of using Chainguard's images is that they shipped with both SBOM and SLSA Attestation, making them transparent from an end-user perspective. Also, they have zero CVEs if we compare them with Google's distroless as it has built on top of apk/wolfi packages. Also, it comes with fewer packages included in an image. But as I'm not the project's maintainer, I will ping some maintainers to get more opinions about comparing the two. PTAL @rawlingsj @imjasonh
There was a problem hiding this comment.
@developer-guy Thanks for the update!
@laurentsimon @spencerschrock I am OK with this change. Thoughts?
There was a problem hiding this comment.
Skimmed https://edu.chainguard.dev/chainguard/chainguard-images/faq/ and https://github.com/chainguard-images/images/tree/main/images/static:
The main difference is in the implementation. The Google distroless images are built with Bazel and based on the Debian distribution, whereas Chainguard Images are built with apko based on the Wolfi or Alpine distributions.
Just to add to the attestation differences mentioned above.
The image has a single user nonroot with uid 65532, belonging to gid 65532.
This should be fine here for this scorecard image. The scorecard-action however needs root (which is another Dockerfile in another repo, so that would be an adoption blocker there.
Note: there are other Dockerfiles in this repo, that would be good to have everything on the same page eventually. It might make sense to update the cron images after that pipeline is restored. There's also the attestor images, @raghavkaul do you see this change impacting that?
There was a problem hiding this comment.
I would recommend that we upgrade one of them and then move it across to cron.
There was a problem hiding this comment.
there are other Dockerfiles in this repo, that would be good to have everything on the same page eventually.
Yep, this is the reason why I marked that issue as WIP 😇
Dockerfile
Outdated
| FROM gcr.io/distroless/base:nonroot@sha256:99133cb0878bb1f84d1753957c6fd4b84f006f2798535de22ebf7ba170bbf434 | ||
| # https://github.com/chainguard-images/images/tree/main/images/static | ||
| # latest | ||
| FROM cgr.dev/chainguard/static@sha256:b25ab001448354017969e5abe42496fb107d759d429e69ef69b7da45f0e6cf0e |
There was a problem hiding this comment.
Might be worth adding a tag here according to #2581. Seems like there are nightly updates, so we would just need to throttle update frequency based on our dependabot settings
Something like this perhaps?
FROM cgr.dev/chainguard/static:latest@sha256:b25ab001448354017969e5abe42496fb107d759d429e69ef69b7da45f0e6cf0e
There was a problem hiding this comment.
I've also updated the digest of the static image of Chainguard that was built a day ago.
developer-guy
force-pushed
the
feature/chainguard-images
branch
from
cbe7a6e
to
9c4b595
Compare
developer-guy
temporarily deployed
to
integration-test
GitHub Actions
Inactive
developer-guy
requested review from
spencerschrock
and removed request for
justaugustus,
azeemshaikh38 and
laurentsimon
|
Integration tests success for |
|
Stale pull request message |
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
developer-guy
force-pushed
the
feature/chainguard-images
branch
from
9c4b595
to
0a36fa1
Compare
|
Kindly ping @spencerschrock @naveensrinivasan, folx, do you want me to continue to replace the base images with the chainguard ones? |
I don't see why not? @spencerschrock Thoughts? |
There was a problem hiding this comment.
Hi folks, sorry for the late reply here. @developer-guy thanks for the PR, but IMO Scorecard should continue using Distroless for the following reasons -
- while there is benefit of having SLSA and SBOM attestations, I would prefer to continue using Distroless images since they see more wider community usage and have been time-tested for longer.
- regarding num_vulns - I believe we are comparing
distroless/basetocgr/static. If there is no reason for us to depend ondistroless/base, we could very well move todistroless/staticwhich should have a lower num_vulns.
To be honest, @azeemshaikh38, there are still differences between the distroless/static and Chainguard's static.
|
|
Stale pull request message |
|
any updates on this ? |
|
Stale pull request message |
|
I'm still willing to do this folx |
|
kindly ping @azeemshaikh38 @naveensrinivasan |
|
Stale pull request message |
|
I'm still waiting for your comments to make it done 😇 |
|
Stale pull request message |
|
kindly ping 🙉 |
|
@developer-guy sorry for the late reply here. My preference is a no to this change for the reason that distroless is an industry standard compared to cgr. If a majority of @ossf/scorecard-maintainers feel differently and would like to move to cgr image instead, I'd be ok with it too. @naveensrinivasan @spencerschrock @laurentsimon @raghavkaul fyi. If there is no response from any of the Scorecard maintainers here, I will close this PR to reduce our PR queue. |
|
Stale pull request message |
@developer-guy Thanks! For now, we are going to close this. We can relook at this later. |
Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com
What kind of change does this PR introduce?
This feature is about using the chainguard's static image instead of Google's static. I removed a few things from Dockerfile to simplify the process, as I saw that we don't need them.
What is the current behavior?
What is the new behavior (if this is a feature change)?**
Which issue(s) this PR fixes
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note(In particular, describe what changes users might need to make in their
application as a result of this pull request.)