Security and Authentication @ chainguard-dev/apko

Directory Structure
Entrypoints
API
CLI
UI
Schemas
Build
Test
Security
Bookmarks

.chainguard
- source.yaml
.github
- workflows
- dependabot.yml
config
- task.yaml
docs
- apko_file.md
- build-process.md
- busybox.md
- faq.md
- sbom-composition.md
examples
- alias-only.yaml
- alpine-386_amd64.yaml
- alpine-amd64.yaml
- alpine-base-rootless.yaml
- alpine-base.yaml
- alpine-python3.yaml
- alpine-slim.yaml
- apko-devenv.yaml
- include.yaml
- nginx-rootless.yaml
- nginx.yaml
- options.yaml
- overlay.yaml
- remote-include.yaml
- wolfi-base.yaml
hack
- ci
  - 00-build.sh
  - 01-publish.sh
- ci-tests.sh
- make-devenv.sh
- run-devenv.sh
- update-golden.sh
- update-packages.sh
internal
- cli
- gen-jsonschema
  - generate.go
  - main.go
- tools.go
mac
- lima
  - apko-playground.yaml
- README.md
pkg
- build
- fetch
  - fetch.go
- lock
  - lock.go
- log
  - log.go
- options
  - options.go
- passwd
  - testdata
    - group
    - passwd
  - doc.go
  - group.go
  - group_test.go
  - passwd.go
  - passwd_test.go
- s6
  - s6.go
  - supervision_tree.go
- sbom
  - generator
    - cyclonedx
      - cyclonedx.go
    - idb
      - idb.go
    - spdx
      - spdx.go
      - spdx_test.go
    - generator.go
  - options
    - options.go
    - options_test.go
  - sbom.go
  - sbom_unit_test.go
- tarfs
- vcs
  - vcs.go
  - vcs_unit_test.go
- vfs
.editorconfig
.gitignore
.golangci.yml
.goreleaser.yaml
.ko.yaml
CODE_OF_CONDUCT.md
CONTRIBUTING.md
LICENSE
Makefile
NEWS.md
README.md
apk.md
go.mod
go.sum
header.tmpl
main.go
release.md

Security and Authentication

This section outlines the security and authentication features of apko. The apko command line utility is designed to be a secure and robust tool for building container images. Its security features help ensure that images are built from trusted sources and are not tampered with during the build process.

Authentication

Apko supports two authentication methods for pulling dependencies from registries:

Implicit Authentication: Apko will automatically attempt to use the credentials stored in your local Docker configuration file if the registry supports it.
- Example: If you are authenticated to a registry through Docker, and you use apko to pull an image from that registry, apko will automatically use your credentials. This is the most common approach and is the default if no explicit authentication is specified. cmd/apko/build.go#L180-L181
Explicit Authentication: For registries that require authentication, you can provide explicit credentials through the --auth flag.
- Example: If you are pulling an image from a registry that requires basic authentication:
```
apko build --auth username:password myimage:latest 
          
```
- Example: For registry requiring a token:
```
apko build --auth token myimage:latest
          
```
- Example: For a registry with an authentication configuration file:
```
apko build --auth=path/to/auth.json myimage:latest
          
```
- NOTE: The --auth flag supports various formats. The specific format depends on the registry and its authentication requirements. Refer to the registry’s documentation for the exact format. cmd/apko/build.go#L170-L173

Authorization

Apko handles authorization for both image pulling and pushing by leveraging the underlying Docker engine’s authentication mechanism.

Pulling Images: When apko pulls images, it relies on Docker’s authentication mechanism. If the image is pulled from a private registry, Docker checks if you are authorized to pull the image.
Pushing Images: When apko pushes images, it similarly uses Docker’s authentication system. If you attempt to push an image to a private registry, Docker will verify if you are authorized to push to that registry.

Note: The exact authorization process may vary depending on the registry and its configuration.