diff --git a/content/blog/docker-sponsored-open-source-program/docker-hub-analytics.jpg b/content/blog/docker-sponsored-open-source-program/docker-hub-analytics.jpg index ef7a917..9e29382 100644 Binary files a/content/blog/docker-sponsored-open-source-program/docker-hub-analytics.jpg and b/content/blog/docker-sponsored-open-source-program/docker-hub-analytics.jpg differ diff --git a/content/blog/docker-sponsored-open-source-program/docker-hub.jpg b/content/blog/docker-sponsored-open-source-program/docker-hub.jpg index 5de895e..5dd13a6 100644 Binary files a/content/blog/docker-sponsored-open-source-program/docker-hub.jpg and b/content/blog/docker-sponsored-open-source-program/docker-hub.jpg differ diff --git a/content/blog/docker-sponsored-open-source-program/index.md b/content/blog/docker-sponsored-open-source-program/index.md index 230ad4a..0819905 100644 --- a/content/blog/docker-sponsored-open-source-program/index.md +++ b/content/blog/docker-sponsored-open-source-program/index.md @@ -26,11 +26,11 @@ The program grants the following perks to eligible projects: ## Docker Hub -**Before:** Score is publishing four containers: three for the CLIs of [`score-compose`](https://github.com/score-spec/score-compose), [`score-k8s`](https://github.com/score-spec/score-k8s) and [`score-radius`](https://github.com/score-spec/score-radius); and the [`sample-score-app`](https://github.com/score-spec/sample-score-app) for demos and testing. We used to publish them in GitHub Container Registry [here](https://github.com/orgs/score-spec/packages). +**Before:** Score is publishing five containers: four for the CLIs of [`score-compose`](https://github.com/score-spec/score-compose), [`score-k8s`](https://github.com/score-spec/score-k8s), [`score-helm`](https://github.com/score-spec/score-helm) and [`score-radius`](https://github.com/score-spec/score-radius); and the [`sample-score-app`](https://github.com/score-spec/sample-score-app) for demos and testing. We used to publish them in GitHub Container Registry [here](https://github.com/orgs/score-spec/packages). **After:** Being part of the DSOS Program gives use the opportunity to publish them in Docker Hub, and gain more visibility and trust from the community. -You can now find our four container images [in Docker Hub here](https://hub.docker.com/u/scorespec). +You can now find our five container images [in Docker Hub here](https://hub.docker.com/u/scorespec). ![](docker-hub.jpg) @@ -87,7 +87,7 @@ For example for the `score-radius` CLI (using [dhi.io/golang](https://dhi.io/cat ![](score-radius-dhi-diff.jpg) -In the associated PR [here](https://github.com/score-spec/score-radius/pull/28), we can see that 22 packages were removed (package manager and shell included) and that 2 CVEs were removed: +In the associated PR [here](https://github.com/score-spec/sample-score-app/pull/58), we can see that 0.3MB was saved for the size while keeping the same number of packages and still having 0 CVEs. We could have stayed with `debian` but we decided to move to an `alpine` base image (DHI provides the [two options](https://docs.docker.com/dhi/core-concepts/glibc-musl/)): ![](score-radius-dhi-scout-compare.jpg) @@ -95,7 +95,7 @@ Another example with the `sample-score-app` (using [dhi.io/node](https://dhi.io/ ![](score-sample-app-dhi-diff.jpg) -In the associated PR [here](https://github.com/score-spec/sample-score-app/pull/58), we can see that 0.3MB was saved for the size while keeping the same number of packages and still having 0 CVEs. We could have stayed with `debian` but we decided to move to an `alpine` base image (DHI provides the [two options](https://docs.docker.com/dhi/core-concepts/glibc-musl/)): +In the associated PR [here](https://github.com/score-spec/score-radius/pull/28), we can see that 22 packages were removed (package manager and shell included) and that 2 CVEs were removed: ![](score-sample-app-dhi-scout-compare.jpg) @@ -192,12 +192,18 @@ This workflow provides a trusted BuildKit instance and generates signed SLSA-com We still get our container images signed by `cosign`. Anyone can verify the trusted signature like this: {{< highlight shell >}} +TAG=latest +PLATFORM=amd64 +SIGNED_DIGEST=$(crane manifest scorespec/score-compose:$TAG \ + | jq -r --arg platformdigest \ + "$(crane digest --platform linux/$PLATFORM scorespec/score-compose:$TAG)" \ + '.manifests[] | select(.annotations["vnd.docker.reference.digest"] == $platformdigest) | .digest') cosign verify \ --experimental-oci11 \ --new-bundle-format \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --certificate-identity-regexp ^https://github.com/docker/github-builder/.github/workflows/build.yml.*$ \ - ghcr.io/score-spec/score-compose@sha256:8dc5be472c7b71d55284451fd37d95710b10b742a6d06b79a34d70131eaaa4b4 + scorespec/score-compose@$SIGNED_DIGEST {{}} ## That's a wrap!