From 6e8e9619ed8b0ab76438906a87fb8dd2d8e3882c Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Sat, 5 Mar 2022 19:24:30 +0100 Subject: [PATCH] add note about signed images --- README.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index dc65903..99b8ae7 100644 --- a/README.md +++ b/README.md @@ -9,9 +9,16 @@ This non-official image is intended as an **all-in-one** (as in monolithic) Next ## Security Don't run random images from random dudes on the Internet. Ideally, you want to maintain and build it yourself. -Images are scanned every day by [Trivy](https://github.com/aquasecurity/trivy) for OS vulnerabilities. Latest tag/version is automatically built weekly, so you should often update your images regardless if you're already using the latest Nextcloud version. +- **Images are scanned every day** by [Trivy](https://github.com/aquasecurity/trivy) for OS vulnerabilities. Known vulnerabilities will be automatically uploaded to [GitHub Security Lab](https://github.com/Wonderfall/docker-nextcloud/security/code-scanning) for full transparency. This also warns me if I have to take action to fix a vulnerability. +- **Latest tag/version is automatically built weekly**, so you should often update your images regardless if you're already using the latest Nextcloud version. +- **Build production images without cache** (use `docker build --no-cache` for instance) if you want to build your images manually. Latest dependencies will hence be used instead of outdated ones due to a cached layer. +- **Images are signed with the GitHub-provided OIDC token in Actions** using the experimental "keyless" signing feature provided by [cosign](https://github.com/sigstore/cosign). You can verify the image signature using `cosign` as well: -If you're building manually, you should always build production images without cache (use `docker build --no-cache` for instance). Latest dependencies will hence be used instead of outdated ones due to a cached layer. +``` +COSIGN_EXPERIMENTAL=true cosign verify ghcr.io/wonderfall/nextcloud +``` + +Verifying the signature isn't a requirement, and might not be as seamless as using *Docker Content Trust* (which is not supported by GitHub's OCI registry). However, it's strongly recommended to do so in a sensitive environment to ensure the authenticity of the images and further limit the risk of supply chain attacks. ## Features - Fetching PHP/nginx from their official images.