Skip to content

Frequently Asked Questions

Welcome to Iron Bank, we are glad you're here! For commonly asked questions and answers, please see the document below. If you have any further questions that are not included below, please contact the Iron Bank team directly.

1.0 General

1.1 What is Iron Bank?

Iron Bank is a repository of hardened and approved container images that can be used across the Department of Defense (DoD) and other organizations to ensure security and compliance that can be accessed by anyone with a Platform One account.

1.2 What is the cost model for Iron Bank?

Currently there is no cost to contributors or users for Iron Bank. It is a service currently funded by the US Department of Defense.

1.3 Can non-US organizations access Iron Bank?

This is assessed on a case by case basis. Your country may already be approved. Please contact us at help@dsop.io if you are having any issues.

1.4 What are the current Information Level (IL) levels supported by Iron Bank?

Currently Iron Bank is only available at IL 2. We are working hard to make our images available at both IL 5 and IL 6.

2.0 Accessing Resources

2.1 How do I register for a Repo1 account?

Visit the new account guide https://sso-info.il2.dso.mil/new_account.html. Under the "MFA Log In" button, there is a registration link. Once you have created an account, you can sign into Repo1 with the same credentials.

2.2 How can I see a list of applications hosted in Iron Bank?

Visit Iron Bank Catalog to see all containers available in Iron Bank along with their corresponding documentation. Additionally, Iron Bank does not "run" containers for users. We publish them and make them available to our users to deploy in their own environments.

This requires a Repo1 account to access.

2.3 How do I log in to Registry1 with Docker and use Docker to pull images?

Registry1 does not allow for anonymous image pulls. This requires a Repo1/Registry1 account. (See Pulling an Image)

2.4 How do I get a robot account to automate image pulls from Registry1?

Submit a help desk ticket at the Iron Bank Help Desk or send an email to help@dsop.io with the following information:

  • Company name
  • Project name
  • Two POCs and their emails

You may also submit an issue in Repo1 here, using the "Robot account" template.

2.5 If I'm not a DoD organization, am I still allowed to contribute?

Yes. Although Iron Bank primarily supports DoD organizations and vendors, ultimately Iron Bank is for everyone to consume from or contribute to. Please reference https://docs-ironbank.dso.mil/quickstart/contributor-onboarding/

Government Off the Shelf (GOTS) projects are not allowed within Iron Bank.

2.6 How do I bring my containers to Iron Bank?

Vendors and contributors can onboard with Iron Bank by filling out our Getting Started Form. The Iron Bank Onboarding team will reach out to the specified point of contact with next steps. (See Onboarding Services)

2.7 If I have extra developers from my organization that need access to my repository, how do I get them added?

Open a new Issue in your repository. In the Description field, select the Access Request template. Specify the username and level of access for each developer. The correct labels will be applied for our team to address the issue.

3.0 ABC and ORA

3.1 What artifacts does Iron Bank provide for hosted containers?

All automated artifacts are available for all Iron Bank containers, including Verified and Unverified:

  • Scan results from Anchore, Twistlock, OpenSCAP including CVEs and OS STIG policy checks
  • ClamAV virus scan
  • Trufflehog secrets scan
  • SBOMs generated with Syft
  • Image rebuilt every 24 hr with updated OS packages
  • Cosign signature
  • Vendor justifications for findings in VAT
  • Automated ABC (Compliant/Non-compliant) and numeric ORA score

3.2 I have a high finding that is justified, yet my container is marked non-compliant... why?

Each finding has an timeline depending upon severity: justification, mitigation, remediation. See Table B of the ABC policy for exact details. If all you have are justifications entered in VAT, that will get you through the first deadline but not the rest of the deadlines for mitigations. Inside VAT, the ABC score evaluation can be broken down at the container level or per finding by clicking on the ABC related buttons. Each finding has an SLA depending upon severity: justification, mitigation, remediation If all you have is justification, that will get you through the first deadline but not the rest of the deadlines.

3.3 Where can I find information on the ABC/ORA scoring?

Please reference our Iron Bank Docs at Overall Risk Assesment or ABC Compliance

3.4 Does FIPS affect ORA?

Not at this time, although this may be implemented in the future.

3.5 Do pipeline failures on the IronBank side affect ORA?

No, failed pipelines never affect ORA. On the other hand, successful pipelines affect ORA positively.

4.0 Security and ATO

4.1 Because we benefit from the c-ATO from Platform One, do we still need our own ATO?

If you have a c-ATO from Platform One, you do not need your own ATO. Iron Bank does not issue or facilitate c-ATOs at Platform One. For questions about your c-ATO please contact Party Bus or your Customer Success Advocate.

4.2 For existing programs with existing hardware and infrastructure that are not ready to jump to a cloud solution, will there be some degree of reciprocity/trust when using containers from Iron Bank?

Iron Bank does not authorize or approve containers at this time. We provide a transparent assessment of the container which you can use to get your own authorization.

4.3 Can ITAR controlled information be uploaded to Iron Bank?

No.

4.4 What are the expectations from my organization once our container is published?

New findings on the container must be addressed as soon as possible, and the application and its dependencies must be kept up-to-date.

4.5 Which findings am I responsible for providing justifications for?

Vendors and contributors are responsible for all container pipeline scan findings. Base image findings should not appear on your container layer- if they do, the base image has not had their recent findings reviewed.

5.0 Container Hardening Process

5.1 Does Iron Bank provide protection for artifacts?

We are working on a feature to protect artifacts produced in certain repos, however this is not yet a feature available to vendors or contributors in Iron Bank.

5.2 What is Iron Bank’s role and/or responsibility throughout the hardening process?

For contributor-owned containers, the Iron Bank team can assist in resolving pipeline issues and development branch merges. The Iron Bank team is also responsible for the verification process. Once you add the Review tag, the Iron Bank team will take it from there. Aside from this process, all responsibilities are on the contributor.

5.3 How can I get a list of available Iron Bank base images?

Browse to the IronBank frontend at https://ironbank.dso.mil/about. Click on "Browse All Hardened Containers." In the Filters column on the left, find the Categories section and choose Base Images. This will return all the currently available Iron Bank base images.

5.4 How do I get help for my container?

In the GitLab repository, please create an issue and apply CSO::To Do label tags to your issue and a member from Customer Success Onboarding Team will be able to review, remediate and escalate as necessary.

5.5 How do I check the status of my container?

Check the status of your container by watching the associated GitLab Issue. We have also opened our Vulnerability Assessment Tracker (VAT) tool to contributors. You can request access to VAT by opening a "VAT User Access Request" in your repository.

5.6 How do I communicate the current status of my project to Iron Bank?

You can communicate the status of your project to Iron Bank by providing updates in the corresponding GitLab Issue.

5.7 Can I harden a container through Iron Bank that is only used to package binaries?

No. All containers that go through Iron Bank must be fully functional and not utilized simply to transfer artifacts from one environment to another.

5.8 I will be using a Kubernetes liveness/readiness probe instead of a Docker HEALTHCHECK. Do I still need the HEALTHCHECK in the Dockerfile?

No, we do not require the use of HEALTHCHECK as it is no longer apart of the OCI format.

5.9 Does Iron Bank offer license keys?

No, Iron Bank does not support license keys nor any other methods to protect your IP. You must incorporate the necessary technologies to protect your own IP.

5.10 How long does it take to harden my containers?

If you are contributor or a vendor, then the responsibility of hardening the container is on you! We are here to answer any and all questions you may have, but it's your responsibility to harden the container and make it secure for DoD use.

5.11 Can I contribute a commercial product that is owned by another company?

No. Commercial products must be hardened and contributed by only the companies that own them or company representatives. When a commercial product is added, the opensource version, if there is one, must be hardened in Iron Bank as well.

5.12 What is the best way to get general help?

If you already have a container on the Iron Bank, you can create Issues in your repository. Alternatively, we hold an AMA session every Wednesday to help answer your questions. You can register at https://www.zoomgov.com/meeting/register/vJIsdemoqTMpGpm-2c6xjdAm0MLD6vuvu5I.

5.13 Are there any size limits for container images?

Yes, the maximum size limit for container image is 20GB. Please contact Iron Bank support for specific details.

5.14 Can I use an open-source container that is not in Iron Bank as a base image?

If you need to use an open-source container that is not currently in Iron Bank, you will need to submit a request through the Vendor Onboarding procedures.

5.15 How can I check which UBI version is being used by an image?

You can check the UBI version used by an image by looking at the Dockerfile or hardening_manifest.yaml in the image's repository on Repo1, or you can use Skopeo inspect to remotely check container image internals. https://github.com/containers/skopeo

6.0 Continuous Monitoring

6.1 Is there a Service Level Agreement (SLA) for vendors to respond to updates?

Ideally, vendors should respond according to the timelines enumerated in the ABC document. It is critical that vendors automate their software container updates and dependencies in real-time, with as little delay as possible.

7.0 Pipeline

7.1 Does Iron Bank's pipeline include static code analysis?

Not at this time, however we are always looking to make Iron Bank better. The current tools we are using in the Iron Bank pipeline are:

  • Anti-virus scanning with ClamAV
  • Modified STIGs for UBI/Ubuntu and other stop/go compliance standards
  • Secrets scanning with truffleHog
  • Vulnerability scanning with Twistlock and Anchore

7.2 Can I download external resources as part of the container build process?

External resources can be downloaded by specifying the URL, filename, and SHA sum in a file called hardening_manifest.yaml. More information can be found in the Iron Bank Hardening Manifest Docs.

7.3 If my artifacts are hosted in a protected location that requires credentials, can I download them in the pipeline?

If credentials are needed to pull your artifacts, work with a member of the CHT to add those to your GitLab group. Inside your hardening_manifest.yaml, you will specify the authentication details, see example here.

7.4 Where will the artifacts end up after the pipeline has pulled them from the URLs defined in hardening_manifest.yaml?

All artifacts are placed in the build context root, and can be copied to the desired location.

COPY [--chown=<user>:<group>] <src>... <dest>

7.5 Can we get access to a pre-production environment in order to test and validate our application?

Not at this time. Due to the DoD's security posture, you must set up your own environment to validate functionality of your containers. Iron Bank does not run or test the containers in the pipeline, we simply build and scan them.

8.0 VAT

8.1 As a vendor or contributor, how do I request access to the Vendor VAT?

Open an issue in Repo1 and fill out the VAT Access Request issue template. Requests can also be submitted via email to help@dsop.io

8.2 Where can I get updates about VAT and give feedback?

If you have Mattermost access, you can do this at https://chat.il2.dso.mil/platform-one/channels/vatibfe-announcements. If you do not have Mattermost access, you can request it by emailing help@dsop.io.

8.3 Is there a public VAT API?

Yes, at https://vat.dso.mil/api/p1/swagger/ui/

9.0 Security and Compliance

9.1 How does Iron Bank handle container security and compliance?

Iron Bank provides automated artifact generation for hosted containers, including scan results, virus scans, secrets scans, SBOMs, and more. Containers are also rebuilt every 24 hours with updated OS packages.

9.2 What is the process for addressing findings in container images?

Vendors and contributors are responsible for addressing all container pipeline scan findings. New findings must be addressed as soon as possible, and applications and their dependencies must be kept up-to-date. See our Hardening Guide Justifications for more details. Hardening Guide Justifications

9.3 How are findings verified in Iron Bank?

Findings are verified based on the Container Hardening Guide, and a score is applied to give an idea of the image's standing. The Vulnerability Assessment Tracker (VAT) provides a detailed breakdown of findings and their statuses.

9.4 What is the relationship between ABC compliance and DoD STIGs?

There is not a direct relationship between ABC compliance and DoD STIGs. ABC compliance is determined based on automated artifact generation and scanning results.

10.0 Onboarding and Support

10.1 How can I check the status of my onboarding request?

If you have submitted an application for onboarding, you can check the status of your request by contacting the CSO team.

10.2 How can I get support for my container or project?

For support, you can create issues in your repository using the appropriate templates, attend AMA sessions, or contact Iron Bank support directly.

11.0 Miscellaneous

11.1 What is Party Bus?

Party Bus is an organization that uses Big Bang to use a suite of tools that allows you to create and app within the environment and get approval to be hosted. It goes through all the vulnerability scans and is then given a score based on the results.

11.2 How can I get invited to the Mattermost server?

To get invited to the Mattermost server, please email help@dsop.io with your request.

11.3 How do I delete an old image from the Iron Bank repository?

While at this time, images cannot be deleted. You can archive the image, which hides it from the public but still allows it to be pullable. This is to support downstream programs as not everyone can use the latest version of your container for their mission.

11.4 Is there a way to skip the VAT verifications to push a branch to development?

Iron Bank Pipeline and Operations team has setup a way to skip VAT in branches. However, this requires intervention from the CHT/CSO team

For more information and detailed documentation, please visit Iron Bank's official documentation site.