Automated-Build Docker Repository for Security
Guarantee that Docker images are built definitely by a trusted third party.
Even if someone enable Docker automation-build, the owners can push Docker Hub from their local machine. So, someone bad guy can push malicious images.
This repository guarantees the images are completely built in Travis CI, and the image tar files are published to GitHub Releases. For proof of integrity, SHA256 of tar files are calculated.
You can verify SHA256 in Travis CI output and downloaded files. This ensures that your files should be built on Travis CI, and the build formula, Dockerfile and build script, "build.bash" are public without malicious code on GitHub.
Here is an example release.
You can verify SHA256 on the Travis job corresponding to the release and ones of your downloaded files.
Here is an example to load Docker image.
# Download
wget https://github.com/nwtgck/docker-repository/releases/....../myimage.tar
# Load
docker load < myimage.tarThen, docker images should output loaded image.
You can calculate SHA256 by shasum -a myimage.tar.
Here is the project structure.
- Each repository must be under
./reposdirectory. - Each repository must have
build.bash. - The
build.bashmust create./distdirectory. - The
./distshould have files of Docker image tar files.
repos/
├── hogeuser1
│ └── mydockerimage1
│ │ └── build.bash
│ └── mydockerimage2
│ └── build.bash
│ └── myasset1.txt
├── hogeuser2
│ └── mydockerimage1
│ └── build.bash
└── ...Special commit message triggers Docker build.
For example, commit message, "#[nwtgck/piping-server] Bump up to 0.9.2" triggers bash repos/nwtgck/piping-server/build.bash.
After build in Travis CI, the image will be available in GitHub Releases like an example release.
The format is like #[myimage_name]. repos/myname should exists in this repo. The commit message should contain one #[myimage_name] because too much image build consume a lot of time.