ORAS security self assessment#2240
Conversation
Signed-off-by: Andrew Block <andy.block@gmail.com>
JustinCappos
left a comment
There was a problem hiding this comment.
Thanks for working on this. I can see that you've put in quite a bit of effort.
I think a few things could be moved around / clarified a bit, but given how well you did the first draft, this shouldn't be a huge burden.
|
|
||
| OCI registries are a core component within cloud computing as it provides storage for container images. Over time, there became an interest to store additional types of content aside from container images which led to the standardization of OCI artifacts as a solution. The ORAS project was born out of the need to enable the management and lifecycle of OCI artifacts along with the interaction with OCI registries. | ||
|
|
||
| ### Actors |
There was a problem hiding this comment.
This should include your tooling, the registries, the consumers of those, etc. I think what you list here are all a similar sort of actor which is tooling that calls whatever operations are supported.
It is important also to stress who the parties are that are doing this and how you authenticate them, etc.
| 3. A [Custom GitHub Action](https://github.com/oras-project/setup-oras) to enable the installation of the ORAS CLI within [GitHub Actions](https://docs.github.com/en/actions) | ||
| 4. A [MCP Server](https://github.com/oras-project/oras-mcp) using the [Model Context Protocol](https://modelcontextprotocol.io) to manage OCI artifacts in remote registries | ||
|
|
||
| ### Actions |
There was a problem hiding this comment.
A lot of this section could be expanded to address security concerns. (Much of the current content can likewise be removed to support this, if desired.)
What this should be is what actions people can perform, such as publish to a registry, delete an item, upload security metadata, retrieve an item, etc.
Please also indicate who is trusted to perform each action and when / how.
|
|
||
| #### Integration with Client Libraries | ||
|
|
||
| ORAS client libraries are the primary interface between tooling contained within the project (such as the `oras` CLI) and third party applications. Capabilities are provides to manage the lifecycle of OCI artifacts locally (including interacting with the local filesystem/Operating System) and remote OCI registries. |
There was a problem hiding this comment.
More detail here about these capabilities, etc. is important for security analysis.
|
|
||
| #### Using the oras Command Line Interface (CLI) | ||
|
|
||
| The `oras` Command Line Interface (CLI) represents how most end users and tools interact with the ORAS project. Methods are available for managing OCI artifacts locally as well as in remote OCI registries in an easy to use, human-friendly utility. |
There was a problem hiding this comment.
Some of this reads too much like marketing-speak. Can you make it more objective?
| **Awareness of OCI Artifacts and their benefits** | ||
|
|
||
| Demonstrate the use of OCI artifacts as a method of packaging and storing content using OCI structures. | ||
|
|
||
| **Creation and management of OCI Artifacts** | ||
|
|
||
| Tooling to support the creation and management of OCI artifacts both within a local environment/machine along with remote OCI registries. | ||
|
|
||
| **Tooling for the mangement of OCI assets** | ||
|
|
||
| In addition to OCI artifacts themselves, the project provides utilities for interacting with additional OCI related resources, such as Manifests. | ||
|
|
There was a problem hiding this comment.
This needs to be reframed to talk about security goals. What attacks are you trying to prevent? What attacks are out of scope, etc.?
|
|
||
| ### Non-Goals | ||
|
|
||
| While not the primary areas of focus, the ORAS project seeks to provide the following: |
There was a problem hiding this comment.
The content you've written here is really good, but it probably belongs elsewhere. This should be things that are out of scope (e.g., an attacker that has stolen API keys, malicious hardware, etc.).
|
|
||
| This document provides ORAS maintainers and stakeholders with additional context to help inform the roadmap creation process, so that security and feature improvements can be prioritized accordingly. | ||
|
|
||
| ## Security functions and features |
There was a problem hiding this comment.
So this content is a lot of what is needed above. Perhaps move it / integrate it there?
| ## Secure Development Practices | ||
|
|
||
| The ORAS project follows established CNCF and OSS best practices for code development and delivery. |
There was a problem hiding this comment.
Can you be more specific about what you follow and how you've verified this?
ORAS security self assessment