How to know if a container artifact repository should be trusted

Question

An unpinned base image has been flagged by Fortify as a potential security issue. How can I know that container artifact repository should be trusted?

Answer

Software Assurance views Infrastructure as Code (IaC) files as potential vectors for attack, requiring these files be scanned using Fortify. These include images that are stored in VA container artifact repositories.

Best practice is that container artifact repositories follow a container hardening process according to VA policies and procedures. Where, a base image comes from a vendor or an open source community, then is configured according to VA guidelines, then is scanned for potential vulnerabilities, and so on.

To show that a container artifact repository can be trusted the following criteria is required:

• The developer must provide documentation that attests that the container artifact repository from which images are retrieved is managed and artifacts are hardened according to VA policy.
  • (There are no specific presentation or content requirements for this documentation, aside from addressing the above concerns)

Additional information

The following are examples of additional criteria that are recommended:

• Base images should be pinned and hardened
• Containers should undergo security scanning
• Container artifact repositories should be centrally hosted and managed