-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider adding OCI Image Annotations to .NET images #5531
Comments
[Triage] This has potential to simplify our image info file if we can use this to check for base image updates. However, it may be less practical to use if we would need to submit a separate request to MCR for each image's manifest instead of sending one request to grab our image info file for all of the current base image digests. |
This seems to have limited ROI for us at the moment. If there are any users who would benefit from the addition of these OCI image annotations, we would like to hear about your scenario. I'll leave this issue open to solicit discussion for a while. |
Well, I just wanted to open an issue regarding this. So here is the first scenario. Annotations would be great for us since we need to fulfill some requirements made by the BSI (Bundesamt für Sicherheit in der Informationstenik), regarding the so called "Cyber Resilience Act" of the EU (see: Technical Guideline TR-03183). Whit the mentioned opencontainers annotations, we would be able to create a kind of treeview of all our components to hand it over to our auditor. In addition, we're using "Docker Scout" which is indeed able to validate base images based on the given annotations. |
Thanks for chiming in @xendon. Which specific annotation(s) would help in your scenario? I'm assuming |
See the list of pre-defined OCI image annotations here:
https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys
Several of these annotations overlap with our
image-info.json
spec. Of note are:(The base image annotations were added to the spec in 2021)
We have already computed lots of this information when we build our images. We should consider adding these annotation to image manifests in addition to (or instead of) tracking it ourselves in image-info.json files.
The text was updated successfully, but these errors were encountered: