Skip to content

ORAS security self assessment#2240

Open
sabre1041 wants to merge 1 commit into
cncf:mainfrom
sabre1041:oras-self-assessment
Open

ORAS security self assessment#2240
sabre1041 wants to merge 1 commit into
cncf:mainfrom
sabre1041:oras-self-assessment

Conversation

@sabre1041

Copy link
Copy Markdown

ORAS security self assessment

Signed-off-by: Andrew Block <andy.block@gmail.com>
@sabre1041 sabre1041 requested a review from a team as a code owner July 11, 2026 08:59
@github-actions github-actions Bot added the needs-triage Indicates an issue or PR that has not been triaged yet (has a 'triage/foo' label applied) label Jul 11, 2026
@github-actions github-actions Bot added the needs-kind Indicates an issue or PR that is missing an issue type or kind (a kind/foo label) label Jul 11, 2026
@github-actions github-actions Bot added the needs-group Indicates an issue or PR that has not been assigned a group (toc or tag/foo label applied) label Jul 11, 2026

@JustinCappos JustinCappos left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this. I can see that you've put in quite a bit of effort.

I think a few things could be moved around / clarified a bit, but given how well you did the first draft, this shouldn't be a huge burden.


OCI registries are a core component within cloud computing as it provides storage for container images. Over time, there became an interest to store additional types of content aside from container images which led to the standardization of OCI artifacts as a solution. The ORAS project was born out of the need to enable the management and lifecycle of OCI artifacts along with the interaction with OCI registries.

### Actors

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should include your tooling, the registries, the consumers of those, etc. I think what you list here are all a similar sort of actor which is tooling that calls whatever operations are supported.

It is important also to stress who the parties are that are doing this and how you authenticate them, etc.

3. A [Custom GitHub Action](https://github.com/oras-project/setup-oras) to enable the installation of the ORAS CLI within [GitHub Actions](https://docs.github.com/en/actions)
4. A [MCP Server](https://github.com/oras-project/oras-mcp) using the [Model Context Protocol](https://modelcontextprotocol.io) to manage OCI artifacts in remote registries

### Actions

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A lot of this section could be expanded to address security concerns. (Much of the current content can likewise be removed to support this, if desired.)

What this should be is what actions people can perform, such as publish to a registry, delete an item, upload security metadata, retrieve an item, etc.

Please also indicate who is trusted to perform each action and when / how.


#### Integration with Client Libraries

ORAS client libraries are the primary interface between tooling contained within the project (such as the `oras` CLI) and third party applications. Capabilities are provides to manage the lifecycle of OCI artifacts locally (including interacting with the local filesystem/Operating System) and remote OCI registries.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More detail here about these capabilities, etc. is important for security analysis.


#### Using the oras Command Line Interface (CLI)

The `oras` Command Line Interface (CLI) represents how most end users and tools interact with the ORAS project. Methods are available for managing OCI artifacts locally as well as in remote OCI registries in an easy to use, human-friendly utility.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some of this reads too much like marketing-speak. Can you make it more objective?

Comment on lines +90 to +101
**Awareness of OCI Artifacts and their benefits**

Demonstrate the use of OCI artifacts as a method of packaging and storing content using OCI structures.

**Creation and management of OCI Artifacts**

Tooling to support the creation and management of OCI artifacts both within a local environment/machine along with remote OCI registries.

**Tooling for the mangement of OCI assets**

In addition to OCI artifacts themselves, the project provides utilities for interacting with additional OCI related resources, such as Manifests.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to be reframed to talk about security goals. What attacks are you trying to prevent? What attacks are out of scope, etc.?


### Non-Goals

While not the primary areas of focus, the ORAS project seeks to provide the following:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The content you've written here is really good, but it probably belongs elsewhere. This should be things that are out of scope (e.g., an attacker that has stolen API keys, malicious hardware, etc.).


This document provides ORAS maintainers and stakeholders with additional context to help inform the roadmap creation process, so that security and feature improvements can be prioritized accordingly.

## Security functions and features

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this content is a lot of what is needed above. Perhaps move it / integrate it there?

Comment on lines +152 to +154
## Secure Development Practices

The ORAS project follows established CNCF and OSS best practices for code development and delivery.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you be more specific about what you follow and how you've verified this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-group Indicates an issue or PR that has not been assigned a group (toc or tag/foo label applied) needs-kind Indicates an issue or PR that is missing an issue type or kind (a kind/foo label) needs-triage Indicates an issue or PR that has not been triaged yet (has a 'triage/foo' label applied)

Projects

Status: New
Status: No status
Status: No status
Status: No status

Development

Successfully merging this pull request may close these issues.

2 participants