TNS
VOXPOP
You’re most productive when…
A recent TNS post discussed the factors that make developers productive. You code best when:
The work is interesting to me.
0%
I get lots of uninterrupted work time.
0%
I am well-supported by a good toolset.
0%
I understand the entire code base.
0%
All of the above.
0%
I am equally productive all the time.
0%
CI/CD / Containers / Open Source / Security / Software Development

Manifesto: A New Open Source Container Metadata Tool from Aqua Security

Jul 26th, 2017 1:00am by
Featued image for: Manifesto: A New Open Source Container Metadata Tool from Aqua Security

At Aqua Security, we have just released an open source project to help container users manage the metadata associated with their container images. It’s called Manifesto, and it stores free-form metadata in the registry, alongside the images themselves.

The Need for Post-Build Metadata

Liz Rice
Liz Rice is the technical evangelist at container security specialists Aqua Security. Prior to that she was CEO of Microscaling Systems and one of the developers of MicroBadger, the tool for managing container metadata.

I’ve been interested in container metadata for a while, working on MicroBadger and the label-schema standard. These projects addressed metadata that you can add to an image at build time through labels, but they don’t really help with the information about an image that you can update post-build — perhaps throughout its lifetime.

Just a few use cases for metadata that needs to be updated after an image is built include:

  • Keeping track of test results and approval status for an image as it passes through a set of “gates” before deployment
  • Saving the Seccomp / AppArmor or other security profile that you want this image to run under
  • Storing the latest vulnerability scan report for the image.

In all these cases (and many more) it’s possible to store the information somewhere else, but it’s a headache to tie it back to the image it relates to. The Manifesto project aims to remove that pain and make it seamless to store and retrieve data for your images.

A Command Line Tool

With Manifesto, we’ve built a prototype command line interface (CLI) that lets users add, list and get arbitrary metadata for a specific image.

Metadata for Automation

The demo above shows retrieving the seccomp profile for a particular image and storing it in a file. This could then easily be passed into the command to deploy a container — for example in Docker:


More generally, the CLI could be used in many automation scripts — for example, storing test results and those all-important vulnerability scans for an image as part of a CI/CD pipeline.

Leveraging Notary for Data Security

It’s important that the metadata is kept secure and intact — you don’t want a bad actor being able to mess with your vulnerability reports to mask an exploit, or tampering with your security profiles. The Docker team have done an excellent job of ensuring the provenance of images through Notary, and with Manifesto, we’re aiming to leverage Notary for image metadata as well as the images themselves. In fact, there’s a Moby project proposal for standardized vulnerability reports that discusses using an approach along these same lines.

The Future of Manifesto

We’re aiming to take Manifesto forward from its current prototype stage to being a robust, secure and useful tool. We’ve already had some helpful feedback, and, dear reader, we welcome your ideas, comments, PRs, and GitHub stars!

Feature image via Pixabay.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Docker, Aqua Security.
TNS DAILY NEWSLETTER Receive a free roundup of the most recent TNS articles in your inbox each day.