Azure Container Registry (ACR) is Azure's OCI-compliant artifact registry. It was one of the first registries to be updated to support the OCI v1.1 distribution specification.
Azure Kubernetes Service (AKS) is Azure's managed Kubernetes offering.
Gatekeeper is a Kubernetes-native policy controller. By hooking into the Kubernetes validating and mutating, it enforces polices using Open Policy Agent.
Azure Key Vault is Azure's offering for cryptographic key managemenet.
The Microsoft SBOM Tool runs against code / filesystems and Linux images to produce a SPDX 2.2-compatible software bill of material (SBOM).
Notation allows users to sign OCI artifacts and images, store the signature as an OCI artifact within a OCI v1.1 compliant registry and verify the signature(s) associated with a given object in the registry.
The Azure Key Vault provider is a plugin to Notation to enable usage of certificates housed within Azure Key Vault.
The updates included in v1.1 of the OCI image and distribution specifications have codified storing non-image artifacts in OCI registries. Additionally, there is now support for explicitly-defined hierarchial relationships between artifacts within a given OCI 1.1-compliant registry. Within the manifest, the subject
field is used to indicate the parent artifact. The referrers
endpoint can be used to query the child artifacts for a given digest.
ORAS enables users to push and pull non-image artifacts to and from OCI registries. This CLI also facilitates building and discovering relationships between images and artifacts within OCI v1.1 compliant registries.
Prior to the finalization of the OCI 1.1 specification updates, the ORAS Project created a custom OCI registry to support development and testing of the OCI Artifact specification. This proposed separate specification was discarded in favor of updating the OCI Image specification to broadly support the subject
field and artifact type
. The ORAS registry is currently used as a local registry within the CI/CD pipeline so the artifact bundle can be created locally and pushed in a single step to Azure Container Registry.
Gatekeeper can interface with external data sources to provide supplementary information to be considered when evaluating policy. In this case, Ratify serves as an external data provider for Gatekeeper and allows policy to be written against OCI registries concerning artifacts and relationships between artifacts and images alike.
Static Analysis Results Interchange Format (SARIF) is an industry standard format designed to capture the output of static analysis tools. It is approved by OASIS.
Trivy is an open source vulnerability scanner from Aquasec. It can be run against file systems and/or container images. Although it supports a variety of output formats, SARIF is the format leveraged by this repository.