F
FeynmanZhou
The Open Container Initiative (OCI) community recently released OCI Image spec v1.1.0 and Distribution spec v1.1.0. Azure Container Registry (ACR) has supported OCI specifications v1.1.0 since its first release candidate in Jan 2023. Today, we announce support for the latest stable release v1.1.0, which provides a production-ready support for OCI artifacts in addition to container images.
ACR has passed the OCI conformance test and is now certified by the OCI community as an OCI-v1.1 compliant registry. The test report is available on the OCI-Conformant Products page.
By supporting the new version of OCI, ACR can store, distribute, and discover non-container content as OCI artifacts in addition to container images, which expands the possibilities of what can be stored in a container registry. ACR can now be used for generic content management enabling centralized access control and enhanced supply chain security.
Three major capabilities are now supported in ACR:
OCI Artifacts empower users to publish and store associated content alongside container images in ACR. Containers Secure Supply Chain initiatives require the distribution of supply chain artifacts like signatures, vulnerability reports, SBOMs, and attestations alongside container images in the container registry, without modifying existing content.
To enable ACR customers to manage OCI artifacts and supply chain artifacts, the ACR team also provides open-source registry client tools and libraries including ORAS CLI and an SDK in various programming languages. ORAS is a CNCF (Cloud Native Computing Foundation) Sandbox project backed by Microsoft. It functions as a fully OCI v1.1 compliant registry client, tailored for image and OCI artifact management in container registries.
To increase transparency, integrity, and security, users can associate the supply chain and attestation metadata with a container image in ACR. ORAS CLI provides such capabilities to attach supply chain and attestation metadata as referrers to an image out-of-the-box. See the blog post Enriching Container Supply Chains with ORAS for the step-by-step tutorial.
As an OCI v1.1 compliant registry, ACR supports listing content within a repository. For example, if you want to list all SBOMs, just list a specific artifact type such as “sbom/example” from a repository by filtering out a new filed “artifactType” in a repository.
Users can view the reference graph between the image and associated referrers in a repository, and even inspect the details of the manifest file.
When publishing and distributing images to consumers, image publishers can attest their content is trustworthy via associated supply chain metadata and attestations. The associated content and subject images are portable. Users can validate the associated referrers and copy their images alongside the referrers across registries.
In addition, the ACR team also provides supply chain security tools including Notation and Ratify for artifact signing and verification. These tools are now OCI-v1.1 compliant and work seamlessly with ACR.
Want to efficiently manage your container images and OCI artifacts in ACR? Follow the guidance in Manage OCI Artifacts and Supply Chain Artifacts with ORAS to get started within minutes.
Learn concepts and best practices of containers secure supply chain from Containers Secure Supply Chain Framework: Containers Secure Supply Chain Framework documentation
Continue reading...
ACR has passed the OCI conformance test and is now certified by the OCI community as an OCI-v1.1 compliant registry. The test report is available on the OCI-Conformant Products page.
By supporting the new version of OCI, ACR can store, distribute, and discover non-container content as OCI artifacts in addition to container images, which expands the possibilities of what can be stored in a container registry. ACR can now be used for generic content management enabling centralized access control and enhanced supply chain security.
How OCI Spec v1.1 support benefits ACR customers
Three major capabilities are now supported in ACR:
- Establish relationships between container images and artifacts. For example, associate supply chain artifacts such as SBOMs, signatures, vulnerability scanning reports with a container image, as shown by the referrers panel in the ACR portal below.
- Package, store, and distribute generic non-container artifacts as OCI artifacts in ACR, such as Helm Charts, Kubernetes manifest files, WASM modules, OPA bundles, Bicep files.
- Discover and query artifact relationships. Distribute a graph of artifacts across registries and recursively delete a graph of artifacts. See Listing Referrers concept for details.
Enrich Containers Supply Chain Security for ACR
OCI Artifacts empower users to publish and store associated content alongside container images in ACR. Containers Secure Supply Chain initiatives require the distribution of supply chain artifacts like signatures, vulnerability reports, SBOMs, and attestations alongside container images in the container registry, without modifying existing content.
To enable ACR customers to manage OCI artifacts and supply chain artifacts, the ACR team also provides open-source registry client tools and libraries including ORAS CLI and an SDK in various programming languages. ORAS is a CNCF (Cloud Native Computing Foundation) Sandbox project backed by Microsoft. It functions as a fully OCI v1.1 compliant registry client, tailored for image and OCI artifact management in container registries.
Associate supply chain metadata with container images
To increase transparency, integrity, and security, users can associate the supply chain and attestation metadata with a container image in ACR. ORAS CLI provides such capabilities to attach supply chain and attestation metadata as referrers to an image out-of-the-box. See the blog post Enriching Container Supply Chains with ORAS for the step-by-step tutorial.
Content discovery
As an OCI v1.1 compliant registry, ACR supports listing content within a repository. For example, if you want to list all SBOMs, just list a specific artifact type such as “sbom/example” from a repository by filtering out a new filed “artifactType” in a repository.
Users can view the reference graph between the image and associated referrers in a repository, and even inspect the details of the manifest file.
Content promotion across registries
When publishing and distributing images to consumers, image publishers can attest their content is trustworthy via associated supply chain metadata and attestations. The associated content and subject images are portable. Users can validate the associated referrers and copy their images alongside the referrers across registries.
In addition, the ACR team also provides supply chain security tools including Notation and Ratify for artifact signing and verification. These tools are now OCI-v1.1 compliant and work seamlessly with ACR.
How to get started
Want to efficiently manage your container images and OCI artifacts in ACR? Follow the guidance in Manage OCI Artifacts and Supply Chain Artifacts with ORAS to get started within minutes.
Learn concepts and best practices of containers secure supply chain from Containers Secure Supply Chain Framework: Containers Secure Supply Chain Framework documentation
Continue reading...