Overview of the Catalog stage

Building a Catalog of container images for internal use is the second stage of the supply chain for containers. Container images that pass certain quality checks from the Acquire stage are hosted in an internal registry. It is essential to catalog container images so internal teams can easily discover and consume approved images required by enterprise applications and services. Additionally, container images in a catalog are continuously scanned for vulnerabilities and malware on a regular basis to ensure they meet the latest security requirements.

Microsoft's Containers Secure Supply Chain (CSSC) framework identifies the need to catalog container images and provides a set of best practices and tools to help you securely host container images in a catalog. In this article, you will learn about the objectives, best practices, and tools that you can use for the Catalog stage of the CSSC framework.

Background

Currently, enterprises use various approaches to manage container images. It is a challenge for engineers to discover available container images, understanding the security posture and access level restrictions within the enterprise. Some enterprises build their own portal on top of the registry to help engineers discover available container images. Additionally, some enterprises impose firewall restrictions and policies to restrict engineers from using container images directly from external registries.

The Catalog stage of the CSSC framework recommends a set of steps and security controls that should be implemented to ensure that container images are discoverable and monitored continuously to ensure security.

Microsoft recommends that internal teams use container images from an internal catalog whenever possible. In case enterprises are not able to do so, we recommend the following practices for catalog of container images.

  • Catalog golden images to enable internal teams to easily discover and consume approved images required by enterprise applications and services.
  • Continuously scan container images for vulnerabilities and malware, generate reports, and sign reports to ensure authenticity and integrity.
  • Monitor the lifecycle of catalogue images and retire images that are out of support.

Workflow for catalog of container images

The CSSC framework recommends the following workflow to catalog container images, help ensure security for container images, internal registries, and help accept container images for internal use. The workflow for catalog of container images does the following:

  1. Hosts the container images that pass quality checks and relevant metadata in an internal staging registry.
  2. Catalog container images to enable internal teams to easily discover and consume approved images required by enterprise applications and services.
  3. Schedule vulnerability and malware scans on a regular cadence and generates vulnerability and malware reports.
  4. Signs the reports with enterprise keys to ensure integrity and provide a trusted stamp of approval for internal use.
  5. Monitor the lifecycle of container images in the catalog and retire the images that are out of support.

Security goals in the Catalog stage

Having a well-defined workflow for the catalog of container images helps enterprises increase their security and reduce the attack surface on their supply chain for containers. The Catalog stage of the CSSC framework is intended to satisfy the following security goals.

Reduce attack surface due to external dependencies

If container images are not available or difficult to find, internal teams may opt to use container images directly from external registries, which exposes them to attacks like malicious container images.

To address this risk, the Catalog stage in the CSSC framework recommends catalog golden images to enable internal teams to easily discover and consume approved images required by enterprise applications and services. It also continuously adds images from the Acquire stage based on internal team usage.

Minimize the risk of introducing security flaws

Container images in a catalog can become outdated or unpatched, which increases the risk of inadvertently using images that can introduce security vulnerabilities and malware into enterprise applications.

To address this risk, the Catalog stage in the CSSC framework recommends continuously scanning container images for vulnerabilities and malware, and generating reports in standard formats. This allows validation of reports before use in subsequent stages of the software supply chain.

Microsoft offers a set of tools and services that can help enterprises implement the recommended steps in the Catalog stage workflow and address the security goals listed above.

Services for hosting container images

Azure Container Registry (ACR) is a managed, OCI-compliant registry that supports the distribution of container images and other cloud-native artifacts. ACR is compliant with the latest OCI specifications and can be used to store supply chain artifacts.

Tools for vulnerability scanning

Microsoft Defender for Cloud is the cloud-native solution to improve, monitor, and maintain the security of your containerized workloads. Microsoft Defender for Cloud offers vulnerability assessment and management tools for images stored in Azure Container Registry.

Tools for ensuring images authenticity

Notary Project is a Microsoft-backed CNCF project that develops specifications and tooling for signing and verifying software artifacts. Notary Project's notation tool can be used to sign container images and other cloud-native artifacts with enterprise keys.

Next steps

See overview of the Build stage for securely building container images.