Skip to content

Verification Process

Getting Started

This checklist is meant to provide a high level overview of the process and steps for getting your container(s) into Iron Bank.

  • Create a Repo1 account (https://repo1.dso.mil/users/sign_in) to get access to the public repository of containers. You can register by clicking on the Sign in with Iron Bank SSO button on the sign-in page, followed by the Register button

  • Fill out the onboarding form

  • Your Onboarding form will be processed by the Iron Bank team, who will then assign it a priority level and create your repository. You will receive an email that your GitLab issue has been created and is ready for you to complete the hardening process

  • Ensure that all POCs are assigned to the issue to ensure proper tracking and notifications

Hardening Process

Repository Requirements

Full documentation

  • A Dockerfile has been created in the root of the repository

  • hardening_manifest.yaml has been created in the root of the repository

  • The project has a LICENSE or a copy of the EULA

  • The project has a README.md in the root of the repository with sufficient instructions on using the Iron Bank version of the image

  • If your container is an enterprise/commercial container, the opensource version is ready

  • Scripts used in the Dockerfile are placed into a scripts directory

  • Configuration files are placed into a config directory

  • Project is configured for automatic renovate updates (if possible)

Dockerfile Requirements

Full documentation

  • There is one Dockerfile named Dockerfile

  • The Dockerfile has the BASE_REGISTRY, BASE_IMAGE, and BASE_TAG arguments (used for local builds; the values in hardening_manifest.yaml are what will be used in the Container Hardening Pipeline)

  • The Dockerfile is based on a hardened Iron Bank image

  • The Dockerfile starts the container as a non-root USER. Otherwise, if you must run as root, you must have proper justification.

  • If your ENTRYPOINT entails using a script, the script is copied from a scripts directory on the project root

  • No ADD instructions are used in the Dockerfile

Hardening Manifest

Full documentation

  • Hardening manifest adheres to the following schema: https://repo1.dsop.io/ironbank-tools/ironbank-pipeline/-/blob/master/schema/hardening_manifest.schema.json

  • The BASE_IMAGE and BASE_TAG arguments refer to a hardened and hosted Iron Bank image (BASE_REGISTRY defaults to registry1.dso.mil in the pipeline)

  • Relevant image metadata has been entered for the corresponding labels

  • Any downloaded resources include a checksum for verification (letters must be lowercase)

  • For resource URLs that require authentication, credentials have been provided to an Iron Bank team member

  • The maintainers' contact information has been provided in the maintainers section

GitLab CI Pipeline

Full documentation

  • Validate your container builds successfully through the GitLab CI pipeline. When viewing the repository in repo1.dso.mil, go to CI/CD > Pipelines on the left. From there, you can see the status of your pipelines.

  • Review scan output from csv output stage of the pipeline.

  • To the greatest extent possible, fix any vulnerabilities that were found and run the pipeline again to confirm that the fixes worked.

  • Justify as many findings in the VAT as possible per the above documentation.

Note: The last two steps will ensure that your container receives the best possible ORA score and has the best chance of meeting ABC (Acceptance Baseline Criteria) and being marked compliant.

Pre-Verification:

  • Submit a Merge Request to the development branch

  • Apply the Hardening::Review label to the corresponding issue

  • Feature branch has been merged into development

  • Address any new findings from the development branch pipeline to the greatest extent possible.

  • Apply the Hardening::Approval label to indicate this container is ready for the final review phase

Hardening Review Process (Container Hardening Team processes):

  • Peer review from Container Hardening Team

  • Findings revewiwer has reviewed all justifications

Note

If the above process is kicked back for any reason, the Hardening::Review or the Hardening::Approval label will be removed and the issue will be sent back to Open. Any comments will be listed in this issue for you to address. Once they have been addressed, you may re-add the Hardening::Review label.

Post-Verification

  • Your issue has been closed

  • Your project has been merged into master

  • Master branch pipeline has completed successfully (at this point, the image is made available on ironbank.dso.mil and registry1.dso.mil )

Now that your application has been merged and is hosted in Iron Bank's image registry, your container(s) will be subjected to continuous monitoring. If new CVEs are discovered or bugs are identified, you will need to address the issues and return to step 5 (GitLab CI Pipeline). As you make changes, please make sure you are adhering to all of the requirements of the hardening process.