Security manifest pusher

Class used for creating and pushing container security manifests in the form of attestations. THe manifests are extracted from a pushed image, and the product name is added as a metadata. If there is an already existing security manifest, multiple product names can be merged.

class pubtools._quay.security_manifest_pusher.SecurityManifestPusher(push_items: List[object], target_settings: Dict[str, Any])[source]

Class that pushes container security manifests.

__init__(push_items: List[object], target_settings: Dict[str, Any]) → None[source]

Initialize.

Args:

push_items ([ContainerPushItem]):: List of push items.
target_settings (dict):: Target settings.

classmethod cosign_get_security_manifest(image_ref: str, output_file: str) → bool[source]

Use cosign to get security manifest from an image and save it to a file.

Args:

image_ref (str):: Image reference to get the manifest from.
output_file (str):: File where to save the manifest.

Returns (bool):

Whether the manifest was gathered successfully (True) or not (False).

cosign_get_existing_attestation(image_ref: str, output_file: str, rekor_url: Optional[str] = None, skip_verify_rekor: bool = False) → bool[source]

Use cosign to verify and get an attestation, if it exists.

Args:

image_ref (str):: Image reference to get the manifest from.
output_file (str):: File where to save the attestation.
rekor_url (str):: URL of the rekor instance to use. If unset, default will be used.
skip_verify_rekor (bool):: Whether to skip rekor log verification. This option is recommended for when an attestation was created without uploading a transparency log to rekor. rekor_url parameter is ignored if this option is enabled.

Returns (bool):

Whether the attestation was gathered successfully (True) or not (False).

cosign_attest_security_manifest(security_manifest_path: str, image_ref: str, rekor_url: Optional[str] = None, skip_upload_rekor: bool = False) → None[source]

Use cosign to attest a security manifest and push the created image to the destination.

Args:

security_manifest_path (str):: Path to the security manifest.
image_ref (str):: Image to which the security manifest should be attested to.
rekor_url (str):: URL of the rekor instance to use. If unset, default will be used.
skip_upload_rekor (bool):: Whether to skip uploading transparency log to rekor. rekor_url parameter is ignored if this option is enabled.

Raises:

RuntimeError:: If the command fails.

classmethod cosign_triangulate_image(image_ref: str, dir_path: str, image_type: str = 'attestation') → str[source]

Use cosign to get the reference to the attestation image.

Args:

image_ref (str):: Image whose attestation image reference to get.
dir_path (str):: Path where a file containing the reference should be created.
image_type (str):: Type of image being triangulated.

Returns (str):

Reference of the attestation image.

Raises:

RuntimeError:: If the command fails.

get_security_manifest_from_attestation(file_path: str) → Union[Dict[Any, Any], Any][source]

Parse image attestation and extract a security manifest.

Args:

file_path (str):: Path of a file containing the attestation.

Returns (dict):

Parsed attestation.

security_manifest_get_products(security_manifest: Dict[Any, Any]) → Set[str][source]

Get a list of products from an already uploaded security manifest.

Products are expected to be in format: “properties”:[ { “name”: “product”, “value”: “product-1” }, { “name”: “product”, “value”: “product-2” } ]

Args:

security_manifest (dict):: Security manifest extracted from an attestation.

Returns (set[str]):

List of products.

get_destination_repos(item: Any) → List[str][source]

Get a list of destination refs (without tag/digest) of a push item.

Args:

item (ContainerPushItem):: Push item.

Returns ([str]):

List of destination repositories (refs without tag/digest).

delete_existing_attestation(image_ref: str, dir_path: str) → None[source]

Delete an existing attestation image.

This may be necessary if a new product name is to be added to an existing security manifest. By default, ‘cosign attest’ appends the new security manifest to the existing attestation, making it offer two manifests instead of one. It is also unable to replace an existing attestation by itself. So the attestation image needs to be removed manually before being reuploaded with the complete list of products.

Args:

image_ref (str):: Image whose attestation image should be removed.
dir_path (str):: Path to a directory where temporary files may be created.

security_manifest_add_products(security_manifest_path: str, products: Set[str]) → str[source]

Add product names of the shipped image to the security manifest.

Modified manifest will be saved to a new file in the same directory.

Args:

security_manifest_path (str):: Path to the extracted security manifest.
products (set[str]):: Products to add to the security manifest.

Returns (str):

Path to a file containing the modified security manifest.

get_source_item_security_manifests(item: Any, dir_path: str) → List[DigestSecurityManifest][source]

Get security manifest of a source image.

Source image has only one architecture, so at most one security manifest will be present. Based on testing, source images don’t seem to contain security manifests, so failure to extract it doesn’t result in an error.

Args:

item (ContainerPushItem):: Push item of a source image.
dir_path (str):: Directory path where the manifest file should be created.

Returns [DigestSecurityManifest]:

Extracted security manifest.

get_multiarch_item_security_manifests(item: Any, dir_path: str) → List[DigestSecurityManifest][source]

Get security manifests of a multiarch image.

Each architecture has its own security manifest. Older images don’t have security manifests, so failure to extract them doesn’t result in an error.

Args:

item (ContainerPushItem):: Push item of a multiarch image.
dir_path (str):: Directory path where the manifest files should be created.

Returns [DigestSecurityManifest]:

Extracted security manifests.

push_item_security_manifests(item: Any) → None[source]

Generate and push container security manifest images of a push item.

Args:

item (ContainerPushItem):: Push item.

push_security_manifests() → None[source]

Attest and push security manifest for each push item in parallel.

Skopeo login is performed before the workflow is started for each push item. Cosign can only get the credentials from the default Docker auth config file, so skopeo is used to set the correct value. This has to be done at runtime because the credentials are target-specific.