The Black Duck GKE Binary Authorization solution provides the ability to control container deployment into GKE by using attestations tied to Black Duck policies. The Black Duck Policy Management feature enables you to create rules that govern your use of open source components in your code base, which can help you reduce open source security, license, and operational risks. Black Duck's Binary Authorization solution is an add-on to the Synopsys Black Duck Cloud Build Solution, and creates an attestation based on the Black Duck policy violation status. The Black Duck attestation attests that a container has passed Black Duck policy and is ready for deployment.
Are you using Binary Authorization? The Synopsys Cloud Build Scanner can write Container Analysis Notes to an Attestor tied to Black Duck scan. If, a policy violation occurs during a Black Duck scan in CloudBuild, an attestation will not be created and the image will not be deployable to GKE.
...
Please send any questions or suggestions to partner-solutions@synopsys.com.
Architecture
The following diagram shows the components in a Black Duck Binary Authorization Cloud Build setup:
The components are as follows:
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
steps: - name: 'gcr.io/cloud-builders/docker' args: ['pull', 'gcr.io/$PROJECT_ID/${_IMAGE_NAME}:${_IMAGE_TAG}'] #Pull the Docker Image you want to attest - name: 'gcr.io/cloud-builders/docker' args: ['save', '-o', './${_IMAGE_NAME}.tar', 'gcr.io/$PROJECT_ID/${_IMAGE_NAME}:${_IMAGE_TAG}'] #Save the Docker Image to a TAR File - name: 'gcr.io/cloud-builders/gcloud-slim' args: ['iam', 'service-accounts', 'keys', 'create', '${_SA_KEY_FILE}', '--iam-account', '<<Service Account Name>>@$PROJECT_ID.iam.gserviceaccount.com' ] #Create a Service Account Key - name: 'gcr.io/cloud-builders/gsutil' args: [ 'cp', 'gs://<<Storage Bucket Name>>/${_PV_KEY_FILE}.enc', '.'] #Copy the encrypted Private Key file to the Cloud Build Worker - name: 'gcr.io/cloud-builders/gcloud' #Decrypt all KMS Secrets using the Key Ring and Key Name args: - kms - decrypt - --ciphertext-file=${_PV_KEY_FILE}.enc - --plaintext-file=${_PV_KEY_FILE} - --location=global - --keyring=<<KMS KeyRing Name>> - --key=<<KMS Key Name>> - name: 'gcr.io/cloud-marketplace/blackduck-publicdev/synopsysgoogle-cloudbuild-scanner' secretEnv: [ 'PRIVATE_KEY_PASSWD', 'BD_TOKEN' ] args: - '--blackduck.url' - '<<Black Duck URL>>' #The URL of your Black Duck Instance - '--blackduck.api.token' - '$$BD_TOKEN' #Black Duck API Token decrypted by KMS - '--blackduck.trust.cert' - 'true' #Use this option if your instance of Black Duck has a self-signed certificate - '--detect.project.name' - '${_IMAGE_NAME}' #Project Name to map scan to in Black Duck UI - '--detect.project.version.name' - '${_IMAGE_TAG}' #Project Version to map scan to in Black Duck UI - '--detect.report.timeout' - '1200' #Set Timeout to prevent Detect from Timing Out while waiting for Policy Check - '--detect.tools' # List of Scanners to Run - 'SIGNATURE_SCAN' - '--detect.source.path' # Target for Signature Scan - './${_IMAGE_NAME}.tar' - '--detect.policy.check.fail.on.severities' - 'CRITICAL' #Will not generate an attestation if any CRITICAL policies are violated - '--binary.authorization.attestor.id' - 'blackduck-scan' - '--binary.authorization.attestor.private.key.file' - '${_PV_KEY_FILE}' - '--binary.authorization.image.path' - 'gcr.io/$PROJECT_ID/${_IMAGE_NAME}:${_IMAGE_TAG}' - '--binary.authorization.attestor.key.file' - '${_SA_KEY_FILE}' substitutions: _IMAGE_NAME: <<IMAGE NAME TO SCAN>> _IMAGE_TAG: <<IMAGE TAG TO SCAN>> _SA_KEY_FILE: sa_key.json _PV_KEY_FILE: pv_key.pgp secrets: - kmsKeyName: projects/[PROJECT_ID]/locations/global/keyRings/[KEY_RING_NAME]/cryptoKeys/[KEY_NAME] secretEnv: BD_TOKEN: <<base64 encoded encrypted Black Duck API Token>> PRIVATE_KEY_PASSWD: <<base64 encoded encrypted Private Key Password>> |
...