{"id":4448,"date":"2024-03-18T19:50:14","date_gmt":"2024-03-18T18:50:14","guid":{"rendered":"https:\/\/gokhan-gokalp.com\/?p=4448"},"modified":"2024-03-18T21:07:25","modified_gmt":"2024-03-18T20:07:25","slug":"securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1","status":"publish","type":"post","link":"https:\/\/gokhan-gokalp.com\/tr\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/","title":{"rendered":"Containerized Uygulamalar\u0131n Supply Chain&#8217;ini G\u00fcvence Alt\u0131na Alarak G\u00fcvenlik Risklerini Azaltma (G\u00fcvenlik Taramas\u0131, SBOM&#8217;lar, Artifact&#8217;lerin \u0130mzalanmas\u0131 ve Do\u011frulanmas\u0131) &#8211; B\u00f6l\u00fcm 1"},"content":{"rendered":"<p>Bildi\u011fimiz gibi modern yaz\u0131l\u0131m geli\u015ftirme ortam\u0131nda containerization&#8217;\u0131n benimsenmesi, uygulamalar\u0131n olu\u015fturulma ve da\u011f\u0131t\u0131lma \u015fekillerini olduk\u00e7a de\u011fi\u015ftirdi. Container&#8217;lar\u0131n <strong>lightweight<\/strong> ve <strong>self-contained<\/strong> birimler olmas\u0131, uygulamalar\u0131m\u0131z\u0131 farkl\u0131 ortamlar aras\u0131nda consistent bir \u015fekilde kolayca ta\u015f\u0131yabilme ve h\u0131zl\u0131 bir \u015fekilde scale edebilme gibi bir \u00e7ok farkl\u0131 anlamda avantajlar ve esneklikler sa\u011flamaktad\u0131r.<\/p>\n<p>Ayr\u0131ca container&#8217;lar scalable <strong>microservice architecture&#8217;lar\u0131<\/strong> i\u00e7in de, en \u00f6nemli building block&#8217;lar\u0131ndan birisidir. Kubernetes gibi container orchestration ara\u00e7lar\u0131 ile birlikte de kaynaklar\u0131m\u0131z\u0131 daha efektif bir \u015fekilde kullanmam\u0131za olanak tan\u0131yarak, uygulamalar\u0131m\u0131z\u0131 esnek bir \u015fekilde scale edebilmemizi ve de\u011fi\u015fen ihtiya\u00e7lar kar\u015f\u0131s\u0131nda h\u0131zl\u0131 bir \u015fekilde hareket edebilmemizi de sa\u011flamaktad\u0131r.<\/p>\n<p>Elbette, container&#8217;lar\u0131n sundu\u011fu avantajlar\u0131n yan\u0131 s\u0131ra, maalesef g\u00fcvenlikle ilgili kapsaml\u0131 bir yakla\u015f\u0131m gerektiren karma\u015f\u0131kl\u0131klar\u0131 da beraberinde getirmektedir. Bir container&#8217;daki bir g\u00fcvenlik sorununun t\u00fcm sistemi tehlikeye atabilme olas\u0131l\u0131\u011f\u0131n\u0131n var olabilmesinden dolay\u0131, sahip oldu\u011fumuz t\u00fcm container ekosistemini u\u00e7tan uca kapsayacak d\u00fczg\u00fcn bir g\u00fcvenlik duru\u015funa sahip olmam\u0131z olduk\u00e7a \u00f6nem arz etmektedir. Bir ba\u015fka de\u011fi\u015fle containerized uygulamalar\u0131n g\u00fcvenlik risk&#8217;lerinin azalt\u0131lmas\u0131 ve gerekli \u00f6nlemlerin al\u0131nmas\u0131, bir best practice olmaktan \u00f6te art\u0131k organizasyonlar i\u00e7in <strong>stratejik bir zorunluluk <\/strong>haline gelmi\u015ftir.<\/p>\n<p>Ge\u00e7ti\u011fimiz y\u0131llarda ger\u00e7ekle\u015ftirilen<em> SolarWinds, Log4j<\/em> (hat\u0131rlarsan\u0131z \u00f6zellikle <em>Log4j<\/em> g\u00fcndemimizi baya me\u015fgul etmi\u015fti) gibi sald\u0131r\u0131lara dikkat etti\u011fimizde, \u00f6zellikle <strong>Software Supply Chain&#8217;in<\/strong> hedef al\u0131nd\u0131\u011f\u0131n\u0131 g\u00f6rebiliriz. Ayr\u0131ca uygulamalar\u0131m\u0131z\u0131 geli\u015ftirirken olduk\u00e7a fazla open-source k\u00fct\u00fcphanelerden yararland\u0131\u011f\u0131m\u0131z\u0131 da g\u00f6z \u00f6n\u00fcne ald\u0131\u011f\u0131m\u0131zda, uygulamalar\u0131m\u0131z\u0131n k\u00f6t\u00fc ama\u00e7l\u0131 kod enjeksiyonlar\u0131na ve g\u00fcvenliklerinin ihlal edilmesine ne kadar hassas ve savunmas\u0131z olduklar\u0131n\u0131 da fark edebiliriz.<\/p>\n<p>Genel anlamda software supply chain&#8217;i g\u00fc\u00e7lendirmek i\u00e7in <em>SDLC<\/em> s\u00fcre\u00e7leri boyunca uygulayabilece\u011fimiz \u00e7e\u015fitli \u00f6nleyici kontroller ve yakla\u015f\u0131mlar mevcuttur. G\u00fcn\u00fcm\u00fczde farkl\u0131 organizasyonlar bu konuda best practice&#8217;lere sahip olabilmek ad\u0131na g\u00fcvenlik konusunda <strong>shifting-left<\/strong> yakla\u015f\u0131m\u0131n\u0131 benimseyerek, g\u00fcvenlik unsurlar\u0131n\u0131 olabildi\u011fince <em>SDLC<\/em> s\u00fcre\u00e7lerinin erken a\u015famalar\u0131na entegre etmeye \u00e7al\u0131\u015fmaktad\u0131rlar. Bu kontroller ve yakla\u015f\u0131mlar, software supply chain s\u00fcre\u00e7lerindeki g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 en aza indirerek b\u00fct\u00fcnl\u00fc\u011f\u00fc sa\u011flamak, potansiyel g\u00fcvenlik risklerini minimize etmek ve h\u0131zl\u0131 hareket edebilmek ad\u0131na \u00f6nemli roller oynamaktad\u0131r.<\/p>\n<p>\u00d6rne\u011fin <em>The National Institute of Standards and Technology<\/em> (<em>NIST<\/em>) taraf\u0131ndan yay\u0131mlanan &#8220;<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-207.pdf\" target=\"_blank\" rel=\"noopener\"><strong>Zero Trust Architecture<\/strong><\/a>&#8221; ve &#8220;<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-204D.ipd.pdf\" target=\"_blank\" rel=\"noopener\"><strong>Strategies for the Integration of Software Supply Chain Security in DevSecOps CI\/CD Pipelines<\/strong><\/a>&#8221; gibi kaynaklar, ekosistemde en az ayr\u0131cal\u0131k ilkesinin benimsenmesinden, <em>CI\/CD<\/em> s\u00fcre\u00e7lerinde \u00e7e\u015fitli politikalar ile g\u00fcvenli build&#8217;lerin ger\u00e7ekle\u015ftirilmesine, software composition analysis (<em>SCA<\/em>) ve static application security testing (<em>SAST<\/em>) gibi \u00e7e\u015fitli ara\u00e7lar\u0131n erken a\u015famalarda kullan\u0131lmas\u0131na kadar \u00e7e\u015fitli \u00f6neriler sunmaktad\u0131r.<\/p>\n<p>Ayr\u0131ca <em>Microsoft&#8217;un<\/em>\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/security\/container-secure-supply-chain\/\" target=\"_blank\" rel=\"noopener\"><em>Containers Secure Supply Chain (CSSC) <\/em><\/a>framework&#8217;\u00fc ve <em>Google<\/em> taraf\u0131ndan geli\u015ftirilen <a href=\"https:\/\/slsa.dev\/\" target=\"_blank\" rel=\"noopener\"><em>Supply-chain Levels for Software Artifacts<\/em> (<em>SLSA)<\/em><\/a> g\u00fcvenlik framework&#8217;\u00fc, g\u00fcvenli bir software supply chain olu\u015fturmak i\u00e7in olduk\u00e7a kapsaml\u0131 y\u00f6nergeler sa\u011flamaktad\u0131r.<\/p>\n<p>Bu makale kapsam\u0131nda, <em>CI\/CD<\/em> a\u015famalar\u0131 boyunca <strong>containerized<\/strong> uygulamalar\u0131n b\u00fct\u00fcnl\u00fc\u011f\u00fcn\u00fc sa\u011flamaya ve kayna\u011f\u0131n\u0131 izlemeye y\u00f6nelik yakla\u015f\u0131mlar\u0131 inceleyerek software supply chain g\u00fcvenli\u011fini sa\u011flamaya bir g\u00f6z ataca\u011f\u0131z. Ayr\u0131ca yukar\u0131da payla\u015ft\u0131\u011f\u0131m baz\u0131 y\u00f6nergeleri dikkate alarak g\u00fcvenlik risklerini azaltmaya y\u00f6nelik baz\u0131 \u00f6nlemlere de bakaca\u011f\u0131z.<\/p>\n<p><strong>Bu ba\u011flamda s\u0131ras\u0131yla a\u015fa\u011f\u0131daki konulara de\u011finiyor olaca\u011f\u0131z.<\/strong><\/p>\n<p><a href=\"\/wp-content\/uploads\/2024\/03\/supply-chain-security-flow.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-4545 lazyload\" data-src=\"\/wp-content\/uploads\/2024\/03\/supply-chain-security-flow.png\" alt=\"\" width=\"822\" height=\"342\" data-srcset=\"https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/supply-chain-security-flow.png 822w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/supply-chain-security-flow-300x125.png 300w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/supply-chain-security-flow-768x320.png 768w\" data-sizes=\"(max-width: 822px) 100vw, 822px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 822px; --smush-placeholder-aspect-ratio: 822\/342;\" \/><\/a><\/p>\n<ul>\n<li>G\u00fcvenlik taramas\u0131 ger\u00e7ekle\u015ftirilmesi ve raporunun olu\u015fturulmas\u0131<\/li>\n<li><em>SBOM<\/em> dok\u00fcman\u0131n\u0131n olu\u015fturulmas\u0131<\/li>\n<li>Olu\u015fturulan artifact&#8217;lerin imzalanmas\u0131<\/li>\n<li>Olu\u015fturulan artifact&#8217;lerin ilgili container image&#8217;i ile ili\u015fkilendirilmesi<\/li>\n<li><em>CD<\/em> s\u00fcre\u00e7leri s\u0131ras\u0131nda, olu\u015fturulan artifact&#8217;lerin ve imzalar\u0131n\u0131n do\u011frulanmas\u0131<\/li>\n<li>Bu makalenin ikinci b\u00f6l\u00fcm\u00fcnde ise <em>Kubernetes<\/em> ortam\u0131na bir container da\u011f\u0131tmadan \u00f6nce, <em>OPA Gatekeeper<\/em> ve <em>Ratify Verification Engine<\/em> kullanarak, <em>CD<\/em> s\u00fcre\u00e7leri s\u0131ras\u0131nda politikalarla farkl\u0131 g\u00fcvenlik kontrollerinin sa\u011flanmas\u0131ndan bahsedece\u011fiz<\/li>\n<\/ul>\n<p>\u015eimdi olu\u015fturulma a\u015famas\u0131 (<em>CI<\/em>) s\u00fcre\u00e7leri ile ba\u015flayal\u0131m!<\/p>\n<hr \/>\n<h1>Container Security Scanning<\/h1>\n<p>Tahmin edebilece\u011fimiz gibi g\u00fcvenilir olmayan kaynaklardan kullanaca\u011f\u0131m\u0131z container image&#8217;leri veya \u00e7e\u015fitli k\u00fct\u00fcphaneler, i\u00e7erebilecekleri malware veya g\u00fcvenlik a\u00e7\u0131klar\u0131ndan dolay\u0131 \u00f6nemli g\u00fcvenlik riskleri olu\u015fturabilirler. Bu g\u00fcvenlik risk&#8217;leri open-source k\u00fct\u00fcphaneler kullanarak geli\u015ftirmi\u015f oldu\u011fumuz kodda veya kullan\u0131yor oldu\u011fumuz container image&#8217;lerinde saklan\u0131yor olabilir.<\/p>\n<p>Potansiyel g\u00fcvenlik risklerini ele alabilmek ve en aza indirebilmek ad\u0131na <em>DevSecOps<\/em> prensiplerini de dikkate alarak, <em>CI<\/em> s\u00fcre\u00e7lerimizde olu\u015fturulan <strong>her bir container image&#8217;ini <\/strong>ilgili container registry&#8217;lerimize g\u00f6ndermeden \u00f6nce, container security scanning ara\u00e7lar\u0131 ile detayl\u0131 bir g\u00fcvenlik do\u011frulamas\u0131ndan ge\u00e7iriyor olmam\u0131z gerekmektedir. Otomatikle\u015ftirilecek olan bu kontrol, container image&#8217;lerimizdeki potansiyel g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 tespit ederek, olas\u0131 riskleri \u00f6nceden ele alabilmemize olanak tan\u0131yacak ve ayr\u0131ca proaktif bir container g\u00fcvenlik duru\u015funa ve software supply chain g\u00fcvenli\u011fi i\u00e7in ilk \u00f6nemli ad\u0131m\u0131 atacakt\u0131r.<\/p>\n<p>Her ne kadar basit bir konu gibi g\u00f6r\u00fcnse de, container&#8217;lar\u0131n g\u00fcvenlik i\u00e7in ya\u015fam d\u00f6ng\u00fclerini kontrol edebilmek benim i\u00e7in her zaman bir kar\u0131n a\u011fr\u0131s\u0131 olmu\u015ftur. \u00c7\u00fcnk\u00fc bu s\u00fcre\u00e7 herhangi bir base container image&#8217;ini d\u0131\u015f bir kaynaktan \u00e7ekip kendi i\u00e7 ortam\u0131m\u0131za g\u00fcvenli bir \u015fekilde getirmekten ba\u015flay\u0131p, olu\u015fturulacak olan ilgili container&#8217;\u0131n production ortam\u0131na da\u011f\u0131t\u0131lma a\u015famas\u0131na kadar olan s\u00fcre\u00e7leri kapsamaktad\u0131r.<\/p>\n<p>Konumuza geri d\u00f6necek olursak, g\u00fcvenlik duru\u015fumuzu g\u00fc\u00e7lendirebilmek i\u00e7in <em>CI<\/em> s\u00fcre\u00e7lerimize dahil edebilece\u011fimiz &#8220;<em>Trivy<\/em>&#8220;, &#8220;<em>Twistlock<\/em>&#8220;, &#8220;<em>Grype<\/em>&#8221; ve &#8220;Snyk&#8221; gibi \u00e7e\u015fitli on-demand container g\u00fcvenlik taramas\u0131 ara\u00e7lar\u0131 mevcuttur. Hangi ara\u00e7&#8217;\u0131 kullanaca\u011f\u0131m\u0131z farketmeksizin, ben bu makale kapsam\u0131nda <a href=\"https:\/\/github.com\/aquasecurity\/trivy\" target=\"_blank\" rel=\"noopener\"><em>Trivy<\/em><\/a> \u00fczerinden ilerleyece\u011fim.<\/p>\n<p><a href=\"\/wp-content\/uploads\/2024\/02\/trivy-logo.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-4490 lazyload\" data-src=\"\/wp-content\/uploads\/2024\/02\/trivy-logo.png\" alt=\"\" width=\"365\" height=\"383\" data-srcset=\"https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/trivy-logo.png 365w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/trivy-logo-286x300.png 286w\" data-sizes=\"(max-width: 365px) 100vw, 365px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 365px; --smush-placeholder-aspect-ratio: 365\/383;\" \/><\/a><\/p>\n<p><em>Trivy<\/em> i\u00e7in k\u0131saca geli\u015fmi\u015f open-source bir g\u00fcvenlik taramas\u0131 arac\u0131 diyebiliriz. Container g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n taranmas\u0131n\u0131n yan\u0131 s\u0131ra &#8220;<em>git repository&#8217;ler<\/em>&#8220;, &#8220;<em>filesystem<\/em>&#8221; ve &#8220;<em>kubernetes<\/em>&#8221; gibi \u00e7e\u015fitli hedefler \u00fczerinde de g\u00fcvenlik taramas\u0131 ger\u00e7ekle\u015ftirebilmektedir.<\/p>\n<p>Ayr\u0131ca g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n yan\u0131 s\u0131ra (<em>CVE<\/em>), uygulama ba\u011f\u0131ml\u0131l\u0131klar\u0131, <em>IaC<\/em> \u00fczerindeki hatalar ve secret&#8217;ler gibi hassas bilgiler i\u00e7in de tarama ger\u00e7ekle\u015ftirebilmektedir.<\/p>\n<p>Makale boyunca \u00f6rnek uygulama olarak daha \u00f6nceki eski makalelerimde geli\u015ftirip, kullanm\u0131\u015f oldu\u011fum <em>.NET 5 <\/em>tabal\u0131 Order<em>\u00a0API <\/em>&#8216;\u0131n\u0131 baz alaca\u011f\u0131m. Ilgili repository&#8217;e <em><a href=\"https:\/\/github.com\/GokGokalp\/choreography-saga-dotnet\/tree\/main\/OrderAPI\" target=\"_blank\" rel=\"noopener\">buradan<\/a><\/em> eri\u015febilirsiniz. Eski bir \u00f6rnek uygulama olmas\u0131 sayesinde g\u00fcvenlik a\u00e7\u0131klar\u0131 bak\u0131m\u0131ndan da \u00f6rne\u011fimize tam olarak uygun. <em>DevOps<\/em> ortam\u0131 olarak ise <strong><em>Azure Pipelines <\/em><\/strong>\u00fczerinden ilerleyece\u011fim. <em>OCI<\/em> image ve artifact&#8217;leri i\u00e7in de <em><strong>Azure Container Registry<\/strong><\/em> &#8216;i (<em>ACR<\/em>) kullanaca\u011f\u0131m.<\/p>\n<p>\u00d6ncelikle ilk a\u015fama olarak a\u015fa\u011f\u0131daki gibi multi-stage bir pipeline tan\u0131mlayal\u0131m.<\/p>\n<pre>trigger:\r\n- master\r\n\r\npool:\r\n  vmImage: ubuntu-latest\r\n\r\nvariables:\r\n  acrServiceConnectionName: 'MyPOCRegistry'\r\n  acrName: 'YOUR_ACR_NAME'\r\n  orderAPIImageName: 'order-api'\r\n\r\nstages:\r\n# Other stages for SAST, SCA tools...\r\n- stage: BuildAndScanStage\r\n  displayName: 'Build &amp; Scan Stage'\r\n  jobs:\r\n  - job: BuildAndScanContainerImage\r\n    displayName: 'Build &amp; scan the container image'\r\n    steps:\r\n    - task: Docker@2\r\n      displayName: 'Build $(orderAPIImageName) container image'\r\n      inputs:\r\n        containerRegistry: '$(acrServiceConnectionName)'\r\n        repository: '$(orderAPIImageName)'\r\n        command: 'build'\r\n        Dockerfile: '.\/OrderAPI\/Dockerfile'\r\n        buildContext: '.'\r\n        tags: '1.0.0'\r\n<\/pre>\n<p>Bu noktadaki ilk amac\u0131m\u0131z ilgili source kodumuzu <em>SAST <\/em>ve\u00a0<em>SCA<\/em> gibi ara\u00e7lar\u0131n kontrollerinden ge\u00e7irdikten sonra, containerized bir hale getirmek. Burada ilgili <em>SAST<\/em> ve <em>SCA<\/em> ara\u00e7lar\u0131m\u0131z\u0131n mevcut oldu\u011funu varsayaca\u011f\u0131z. Ard\u0131ndan olu\u015fturulacak olan container image&#8217;ini de ilgili registry&#8217;e g\u00f6ndermeden \u00f6nce, g\u00fcvenlik kontrol\u00fcnden ge\u00e7irmek. Tabi buradaki yakla\u015f\u0131m ve politikalar, kurumdan kuruma da farkl\u0131l\u0131k g\u00f6sterebilmektedir.<\/p>\n<p>&#8220;<em>BuildAndScanContainerImage<\/em>&#8221; job&#8217;\u0131 i\u00e7erisinde ger\u00e7ekle\u015ftirdi\u011fimiz containerization i\u015fleminden sonra, <em>Trivy<\/em> &#8216;i <em>CI<\/em> s\u00fcre\u00e7lerimize dahil edebilmek i\u00e7in a\u015fa\u011f\u0131daki iki task&#8217;\u0131 ve &#8220;<em>trivyVersion<\/em>&#8221; variable&#8217;\u0131n\u0131 pipeline&#8217;a dahil edelim.<\/p>\n<pre>variables:\r\n  ...\r\n  trivyVersion: '0.48.0'<\/pre>\n<pre>    - task: Bash@3\r\n      displayName: 'Download Trivy v$(trivyVersion)'\r\n      inputs:\r\n        targetType: 'inline'\r\n        script: |\r\n          wget https:\/\/github.com\/aquasecurity\/trivy\/releases\/download\/v$(trivyVersion)\/trivy_$(trivyVersion)_Linux-64bit.deb\r\n          sudo dpkg -i trivy_$(trivyVersion)_Linux-64bit.deb\r\n          trivy -v\r\n    - task: Bash@3\r\n      displayName: 'Scan the $(orderAPIImageName) container image for vulnerabilities'\r\n      inputs:\r\n        targetType: 'inline'\r\n        script: |\r\n          trivy image --exit-code 0 --severity HIGH,CRITICAL --scanners vuln $(acrName).azurecr.io\/$(orderAPIImageName):1.0.0<\/pre>\n<p><em>Trivy <\/em>&#8216;nin agent \u00fczerine kurulum i\u015flemini tamamlad\u0131ktan sonra, tarama i\u015flemi i\u00e7in kullanm\u0131\u015f oldu\u011fumuz komutlara bir bakal\u0131m.<\/p>\n<ul>\n<li>\u0130lgili pipeline&#8217;\u0131n \u00f6rne\u011fimiz boyunca durdurulmamas\u0131 i\u00e7in, &#8220;<em>&#8211;exit-code 0<\/em>&#8221; parametresini kulland\u0131m. E\u011fer &#8220;<em>1<\/em>&#8221; olarak belirlersek, &#8220;<em>HIGH<\/em>&#8221; veya &#8220;<em>CRITICAL<\/em>&#8221; olan g\u00fcvenlik ihlalleri kar\u015f\u0131s\u0131nda ilgili pipeline otomatik olarak durdurulacakt\u0131r. Ayr\u0131ca &#8220;<em>LOW<\/em>&#8221; ve &#8220;<em>MEDIUM<\/em>&#8221; seviyeleri de mevcuttur.<\/li>\n<li>Ayr\u0131ca &#8220;<em>&#8211;scanners vuln<\/em>&#8221; parametresi ile de sadece vulnerability taramas\u0131 ger\u00e7ekle\u015ftirmesini sa\u011flad\u0131m. Bunlara ek olarak &#8220;<em>secret<\/em>&#8220;, &#8220;<em>misconfig<\/em>&#8221; parametreleri ile de farkl\u0131 taramalar da ger\u00e7ekle\u015ftirebiliriz. \u00d6zellikle <em>IaC<\/em> template&#8217;leri i\u00e7in oldukla kullan\u0131\u015fl\u0131.<\/li>\n<\/ul>\n<p><em>Trivy<\/em> belirmi\u015f oldu\u011fumuz bu konfig\u00fcrasyon ile, varsay\u0131lan olarak <em>CVE<\/em> sonu\u00e7lar\u0131n\u0131 tablo format\u0131nda a\u015fa\u011f\u0131daki gibi konsol \u00fczerine yazmaktad\u0131r.<\/p>\n<p><a href=\"\/wp-content\/uploads\/2024\/01\/trivy-scan-result-table-scaled.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-4471 lazyload\" data-src=\"\/wp-content\/uploads\/2024\/01\/trivy-scan-result-table-scaled.jpg\" alt=\"\" width=\"2560\" height=\"1038\" data-srcset=\"https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/01\/trivy-scan-result-table-scaled.jpg 2560w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/01\/trivy-scan-result-table-300x122.jpg 300w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/01\/trivy-scan-result-table-1024x415.jpg 1024w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/01\/trivy-scan-result-table-768x311.jpg 768w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/01\/trivy-scan-result-table-1536x623.jpg 1536w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/01\/trivy-scan-result-table-2048x830.jpg 2048w\" data-sizes=\"(max-width: 2560px) 100vw, 2560px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 2560px; --smush-placeholder-aspect-ratio: 2560\/1038;\" \/><\/a><\/p>\n<p>G\u00f6rd\u00fc\u011f\u00fcm\u00fcz gibi kullanm\u0131\u015f oldu\u011fumuz \u00f6rnek uygulama olduk\u00e7a eski oldu\u011fu i\u00e7in, toplamda 70 adet farkl\u0131 <em>CVE<\/em> &#8216;ler tespit etti.<\/p>\n<p>Bu a\u015famada <em>Trivy<\/em>, hem ilgili <em>OS <\/em>hem de ilgili uygulamam\u0131z\u0131n bulundurmu\u015f oldu\u011fu k\u00fct\u00fcphaneler \u00fczerinde de bir g\u00fcvenlik taramas\u0131 ger\u00e7ekle\u015ftirmi\u015ftir.<\/p>\n<blockquote><p><em><strong>NOT<\/strong><\/em>: <em>Order API\u00a0.NET<\/em> temelli oldu\u011fu i\u00e7in, &#8220;<em>**\/*.deps.json<\/em>&#8221; dosyalar\u0131 \u00fczerinden ilgili kullan\u0131lan k\u00fct\u00fcphanelere eri\u015fim sa\u011flamaktad\u0131r.<\/p><\/blockquote>\n<p><a href=\"\/wp-content\/uploads\/2024\/01\/trivy-dotnet-vul-scaled.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-4472 lazyload\" data-src=\"\/wp-content\/uploads\/2024\/01\/trivy-dotnet-vul-scaled.jpg\" alt=\"\" width=\"2560\" height=\"1053\" data-srcset=\"https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/01\/trivy-dotnet-vul-scaled.jpg 2560w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/01\/trivy-dotnet-vul-300x123.jpg 300w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/01\/trivy-dotnet-vul-1024x421.jpg 1024w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/01\/trivy-dotnet-vul-768x316.jpg 768w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/01\/trivy-dotnet-vul-1536x632.jpg 1536w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/01\/trivy-dotnet-vul-2048x842.jpg 2048w\" data-sizes=\"(max-width: 2560px) 100vw, 2560px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 2560px; --smush-placeholder-aspect-ratio: 2560\/1053;\" \/><\/a><\/p>\n<p>\u015eimdi, ilgili <em>CVE<\/em> sonu\u00e7lar\u0131n\u0131 bir sonraki a\u015famada do\u011frulama s\u00fcre\u00e7lerinde kullanabilmek ve software supply chain&#8217;imizin bir artifact&#8217;i olarak saklayabilmek i\u00e7in, a\u015fa\u011f\u0131daki gibi <em>Trivy<\/em> &#8216;i <em>JSON<\/em> bir \u00e7\u0131kt\u0131 olu\u015fturabilecek bir \u015fekilde yap\u0131land\u0131ral\u0131m. Ayr\u0131ca, ilgili container image&#8217;ini de registry&#8217;e g\u00f6nderelim.<\/p>\n<blockquote><p><em><strong>NOT<\/strong><\/em>: Makale boyunca kolayl\u0131k olmas\u0131 a\u00e7\u0131s\u0131ndan container image versiyon tag&#8217;i olarak &#8220;<em>1.0.0<\/em>&#8221; \u00fczerinden ilerleyece\u011fim.<\/p><\/blockquote>\n<pre>    - task: Bash@3\r\n      displayName: 'Scan the $(orderAPIImageName) container image for vulnerabilities'\r\n      inputs:\r\n        targetType: 'inline'\r\n        script: |\r\n          trivy image --exit-code 0 --severity HIGH,CRITICAL --security-checks vuln --format sarif --output .\/trivy-sarif.json $(acrName).azurecr.io\/$(orderAPIImageName):1.0.0\r\n    - task: Docker@2\r\n      displayName: 'Push $(orderAPIImageName) container image'\r\n      inputs:\r\n        containerRegistry: '$(acrServiceConnectionName)'\r\n        repository: '$(orderAPIImageName)'\r\n        command: 'push'\r\n        tags: '1.0.0'\r\n<\/pre>\n<p>Bu noktada ilgili container&#8217;\u0131 g\u00fcvenlik taramas\u0131ndan ge\u00e7irmi\u015f ard\u0131ndan ilgili container image&#8217;ini registry&#8217;e g\u00f6ndermi\u015f olaca\u011f\u0131z. Ayr\u0131ca, container g\u00fcvenlik taramas\u0131 sonucunu standart bir formatta olmas\u0131 ve farkl\u0131 ara\u00e7larla kolay entegrasyon sa\u011flamas\u0131 nedeniyle <em>SARIF<\/em> olarak belirledik.\u00a0\u015eimdi ise <em>SARIF<\/em> format\u0131nda elde edecek oldu\u011fumuz container g\u00fcvenlik taramas\u0131 sonucunu software supply chain&#8217;in bir par\u00e7as\u0131 olarak saklayabilmek i\u00e7in, <em>ORAS<\/em> (<em>OCI Registry As Storage<\/em>) arac\u0131ndan yararlanaca\u011f\u0131z.<\/p>\n<p><em>ORAS<\/em>, k\u0131saca <strong><em>OCI<\/em> image&#8217;lerini<\/strong> ve <strong>supply chain artifact&#8217;lerini<\/strong> <em>OCI<\/em> registry&#8217;leri \u00fczerinde y\u00f6netebilmemizi sa\u011flayan bir ara\u00e7t\u0131r.<\/p>\n<pre>    - task: AzureCLI@2\r\n      displayName: 'Attach the scan result to the $(orderAPIImageName) container image'\r\n      inputs:\r\n        azureSubscription: 'DevOpsPoC'\r\n        scriptType: 'bash'\r\n        scriptLocation: 'inlineScript'\r\n        inlineScript: |\r\n          az acr login --name $(acrName)\r\n          oras attach --artifact-type application\/sarif+json $(acrName).azurecr.io\/$(orderAPIImageName):1.0.0 .\/trivy-sarif.json:application\/json<\/pre>\n<p>Bu noktada &#8220;<em>oras attach<\/em>&#8221; komutunu kullanarak, ilgili container image&#8217;i ile &#8220;<em>trivy-sarif.json<\/em>&#8221; artifact&#8217;i aras\u0131nda bir referans olu\u015fmas\u0131n\u0131 sa\u011fl\u0131yoruz.<\/p>\n<blockquote><p><em><strong>NOT<\/strong><\/em>: Ben bu noktada <em>ORAS<\/em> &#8216;\u0131n <em>ACR<\/em> &#8216;a eri\u015fim sa\u011flayabilmesi i\u00e7in, <em>AAD<\/em> credentials y\u00f6ntemini kulland\u0131m. Ayr\u0131ca service principle kullanarak da bu i\u015flemi ger\u00e7ekle\u015ftirebilmekteyiz. \u00d6rne\u011fin: &#8220;<em>oras login myregistry.azurecr.io &#8211;username $SP_APP_ID &#8211;password $SP_PASSWD<\/em>&#8220;<\/p><\/blockquote>\n<p>Ayr\u0131ca buradaki \u00f6nemli olan bir nokta ise, &#8220;<em>artifact-type<\/em>&#8221; parametresi ve isimlendirme kural\u0131. Bu parametre k\u0131saca bizlere farkl\u0131 artifact tiplerine g\u00f6re filtreler kullanabilmemizi sa\u011flamaktad\u0131r. De\u011fer olarak istedi\u011fimiz de\u011feri verebilmekteyiz. Standart isimlendirme kurallar\u0131na uymak istersek ise, <em>[org|company|entity].[objectType].[optional-subType].config.[version]+[optional-configFormat]<\/em> \u015feklinde bir isimlendirmeyi takip edebiliriz. Detayl\u0131 bilgi i\u00e7in ise, <em><a href=\"https:\/\/github.com\/opencontainers\/artifacts\/blob\/main\/artifact-authors.md\" target=\"_blank\" rel=\"noopener\">buraya<\/a><\/em> bir g\u00f6z atabilirsiniz.<\/p>\n<p>Ben bu makale serisi kapsam\u0131nda verification engine olarak <em>Ratify<\/em> kullanacak oldu\u011fum ve onun built-in do\u011frulama plugin&#8217;lerinden yararlanaca\u011f\u0131m i\u00e7in, &#8220;<em>artifact-type<\/em>&#8221; olarak <em>Ratify<\/em> &#8216;\u0131n belirtmi\u015f oldu\u011fu &#8220;<em>application\/sarif+json<\/em>&#8221; tipini kulland\u0131m.<\/p>\n<p>Pipeline&#8217;\u0131 \u00e7al\u0131\u015ft\u0131rd\u0131ktan sonra ise <em>ORAS<\/em> &#8216;\u0131n &#8220;<em>discover<\/em>&#8221; komutunu kullanarak, a\u015fa\u011f\u0131daki gibi ilgili container&#8217;\u0131n artifact graph&#8217;\u0131n\u0131 g\u00f6r\u00fcnt\u00fcleyebiliriz. Ayr\u0131ca belirtti\u011fimiz gibi spesifik artifact tipine g\u00f6re sorgulama yapabilmek i\u00e7in &#8220;&#8211;<em>artifact-type<\/em>&#8221; parametresini kullanabilmekteyiz.<\/p>\n<p><a href=\"\/wp-content\/uploads\/2024\/02\/oras-discover-sarif.jpg\"><img decoding=\"async\" class=\"aligncenter wp-image-4506 size-full lazyload\" data-src=\"\/wp-content\/uploads\/2024\/02\/oras-discover-sarif.jpg\" alt=\"\" width=\"2036\" height=\"280\" data-srcset=\"https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/oras-discover-sarif.jpg 2036w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/oras-discover-sarif-300x41.jpg 300w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/oras-discover-sarif-1024x141.jpg 1024w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/oras-discover-sarif-768x106.jpg 768w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/oras-discover-sarif-1536x211.jpg 1536w\" data-sizes=\"(max-width: 2036px) 100vw, 2036px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 2036px; --smush-placeholder-aspect-ratio: 2036\/280;\" \/><\/a><\/p>\n<hr \/>\n<h1>Software Bill of Materials (SBOM) Olu\u015fturmak<\/h1>\n<p>Software supply chain g\u00fcvenli\u011fi i\u00e7in kullanabilece\u011fimiz bir di\u011fer \u00f6nemli artifact ise <em>SBOM<\/em> dok\u00fcmanlar\u0131d\u0131r. <em>SBOM<\/em> k\u0131saca bir uygulaman\u0131n olu\u015fabilmesi ve \u00e7al\u0131\u015ft\u0131r\u0131labilmesi i\u00e7in kullan\u0131lan t\u00fcm bile\u015fenleri ve k\u00fct\u00fcphaneleri versiyonlar\u0131 ile birlikte ayr\u0131nt\u0131l\u0131 bir \u015fekilde listelemek amac\u0131yla olu\u015fturulan bir dok\u00fcmand\u0131r.<\/p>\n<p><em>SBOM<\/em> dok\u00fcmanlar\u0131 software supply chain i\u00e7erisinde bir \u015feffafl\u0131k ve g\u00f6r\u00fcn\u00fcrl\u00fck getirdi\u011fi i\u00e7in, uyum politikalar\u0131nda (lisans y\u00f6netimi, uyumluluk denetimi vb.) ve g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n erken ke\u015ffedilmesi gibi konularda olduk\u00e7a \u00f6nemli bir konuma sahiptir. \u00d6zetle, uygulamalar\u0131m\u0131z\u0131n g\u00fcvenli\u011fini ya\u015fam d\u00f6ng\u00fcs\u00fc boyunca sa\u011flayabilmek ve ba\u011f\u0131ml\u0131l\u0131klar\u0131n\u0131, kaynaklar\u0131n\u0131 izleyip do\u011frulayabilmek i\u00e7in, <em>SBOM<\/em> dok\u00fcmanlar\u0131ndan yararlanabilmekteyiz.<\/p>\n<p>Ayr\u0131ca <em>SBOM<\/em> &#8216;lar\u0131 y\u00f6netebilmek ve s\u00fcrekli geri bildirimler alabilmek i\u00e7in farkl\u0131 ara\u00e7 ve platformlar da mevcuttur. B\u00f6ylece herhangi bir risk durumunda neyin nerede etkilendi\u011fini h\u0131zl\u0131 bir \u015fekilde g\u00f6rebilir ve aksiyonlar alabiliriz.<\/p>\n<p><em>SBOM<\/em> dok\u00fcman\u0131 olu\u015fturabilmek i\u00e7in farkl\u0131 ara\u00e7lar mevcuttur. <em>Trivy<\/em> &#8216;de bunlardan birisi. <em>Trivy<\/em> hem <em>CycloneDX<\/em> hem de <em>SPDX<\/em> format\u0131nda <em>SBOM<\/em> dok\u00fcmanlar\u0131 olu\u015fturabilmektedir. Ben bu makale kapsam\u0131nda <em>Ratify<\/em> verification engine kullanaca\u011f\u0131m i\u00e7in, <em>SPDX\u00a0<\/em>format\u0131nda bir <em>SBOM <\/em>dok\u00fcman\u0131 olu\u015fturaca\u011f\u0131m<em>.<\/em><\/p>\n<p>\u015eimdi a\u015fa\u011f\u0131daki iki task&#8217;\u0131 pipeline&#8217;a dahil edelim ve ilgili container i\u00e7in bir <em>SBOM<\/em> dok\u00fcman\u0131 olu\u015fturulmas\u0131n\u0131 sa\u011flayal\u0131m. Ard\u0131ndan olu\u015fturulacak olan <em>SBOM<\/em> dok\u00fcman\u0131n\u0131 da software supply chain&#8217;imizin bir artifact&#8217;i olarak ilgili container&#8217;a <em>ORAS<\/em> vas\u0131tas\u0131yla ekleyelim.<\/p>\n<pre>    - task: Bash@3\r\n      displayName: 'Create a SBOM document for the $(orderAPIImageName) container image'\r\n      inputs:\r\n        targetType: 'inline'\r\n        script: |\r\n          trivy image --format spdx --output .\/sbom.spdx.json $(acrName).azurecr.io\/$(orderAPIImageName):1.0.0\r\n    - task: AzureCLI@2\r\n      displayName: 'Attach the SBOM document to the $(orderAPIImageName) container image'\r\n      inputs:\r\n        azureSubscription: 'DevOpsPoC'\r\n        scriptType: 'bash'\r\n        scriptLocation: 'inlineScript'\r\n        inlineScript: |\r\n          oras attach --artifact-type application\/spdx+json $(acrName).azurecr.io\/$(orderAPIImageName):1.0.0 .\/sbom.spdx.json:application\/json<\/pre>\n<p>\u015eimdi tekrardan <em>ORAS<\/em> &#8216;\u0131n &#8220;<em>discover<\/em>&#8221; komutunu \u00e7al\u0131\u015ft\u0131rd\u0131\u011f\u0131m\u0131zda, a\u015fa\u011f\u0131daki gibi <em>SBOM<\/em> artifact&#8217;inin de ilgili graph&#8217;a eklendi\u011fini g\u00f6rebiliriz.<\/p>\n<p><a href=\"\/wp-content\/uploads\/2024\/02\/oras-discover-spdx-sbom.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-4507 lazyload\" data-src=\"\/wp-content\/uploads\/2024\/02\/oras-discover-spdx-sbom.jpg\" alt=\"\" width=\"2042\" height=\"392\" data-srcset=\"https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/oras-discover-spdx-sbom.jpg 2042w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/oras-discover-spdx-sbom-300x58.jpg 300w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/oras-discover-spdx-sbom-1024x197.jpg 1024w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/oras-discover-spdx-sbom-768x147.jpg 768w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/oras-discover-spdx-sbom-1536x295.jpg 1536w\" data-sizes=\"(max-width: 2042px) 100vw, 2042px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 2042px; --smush-placeholder-aspect-ratio: 2042\/392;\" \/><\/a><\/p>\n<hr \/>\n<h1>Artifact&#8217;lere Eri\u015fmek<\/h1>\n<p><em>ORAS<\/em> kullanarak bir container ile ili\u015fkilendirmi\u015f oldu\u011fumuz herhangi bir artifact&#8217;i de \u00e7ekebilmek m\u00fcmk\u00fcn. Bunun i\u00e7in a\u015fa\u011f\u0131daki komutu ilgili artifact&#8217;in digest bilgisi ile \u00e7al\u0131\u015ft\u0131rmam\u0131z yeterli olacakt\u0131r. Bir \u00f6nceki a\u015famada yapt\u0131\u011f\u0131m\u0131z gibi istedi\u011fimiz bir artifact&#8217;in digest bilgisine ise <em>ORAS<\/em> &#8216;\u0131n &#8220;<em>discover<\/em>&#8221; komutu ile kolayl\u0131kla eri\u015febiliriz.<\/p>\n<pre>oras pull IMAGE_URL@DIGEST -o .<\/pre>\n<p>\u00d6rne\u011fin <em>Order API<\/em> container image&#8217;i ile ili\u015fkilendirmi\u015f oldu\u011fumuz <em>SBOM<\/em> dok\u00fcman\u0131n\u0131n digest bilgisine eri\u015febilmek i\u00e7in, a\u015fa\u011f\u0131daki komutu kullanabiliriz.<\/p>\n<pre>oras discover -o json --artifact-type 'application\/spdx+json' $(acrName).azurecr.io\/$(orderAPIImageName):1.0.0 | jq -r \".manifests[0].digest\"<\/pre>\n<p><a href=\"\/wp-content\/uploads\/2024\/02\/oras-pull-artifacts.jpg\"><img decoding=\"async\" class=\"aligncenter wp-image-4508 size-full lazyload\" data-src=\"\/wp-content\/uploads\/2024\/02\/oras-pull-artifacts.jpg\" alt=\"\" width=\"2044\" height=\"318\" data-srcset=\"https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/oras-pull-artifacts.jpg 2044w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/oras-pull-artifacts-300x47.jpg 300w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/oras-pull-artifacts-1024x159.jpg 1024w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/oras-pull-artifacts-768x119.jpg 768w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/oras-pull-artifacts-1536x239.jpg 1536w\" data-sizes=\"(max-width: 2044px) 100vw, 2044px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 2044px; --smush-placeholder-aspect-ratio: 2044\/318;\" \/><\/a><\/p>\n<p>\u0130ndirmi\u015f oldu\u011fumuz <em>SBOM<\/em> dok\u00fcman\u0131na bakt\u0131\u011f\u0131m\u0131zda ise, <em>Order API<\/em> container image&#8217;i i\u00e7erisinde kullan\u0131lan <em>NUGET<\/em> paketlerinden <em>OS<\/em> i\u00e7erisindeki ba\u011f\u0131ml\u0131l\u0131klara kadar versiyonlar\u0131 ile birlikte listelendiklerini g\u00f6rebiliriz. <em>SBOM<\/em> dok\u00fcmanlar\u0131n\u0131n sa\u011flam\u0131\u015f oldu\u011fu bu g\u00f6r\u00fcn\u00fcrl\u00fck ve \u015feffafl\u0131k sayesinde, ilgili ba\u011f\u0131ml\u0131l\u0131klar\u0131n g\u00fcvenli\u011fini de\u011ferlendirebilmemiz ve g\u00fcncellemelerini y\u00f6netebilmemiz daha kolay bir hale gelmektedir.<\/p>\n<p><a href=\"\/wp-content\/uploads\/2024\/02\/sbom-spdx-scaled.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-4509 lazyload\" data-src=\"\/wp-content\/uploads\/2024\/02\/sbom-spdx-scaled.jpg\" alt=\"\" width=\"2560\" height=\"2036\" data-srcset=\"https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/sbom-spdx-scaled.jpg 2560w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/sbom-spdx-300x239.jpg 300w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/sbom-spdx-1024x814.jpg 1024w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/sbom-spdx-768x611.jpg 768w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/sbom-spdx-1536x1221.jpg 1536w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/sbom-spdx-2048x1629.jpg 2048w\" data-sizes=\"(max-width: 2560px) 100vw, 2560px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 2560px; --smush-placeholder-aspect-ratio: 2560\/2036;\" \/><\/a><\/p>\n<hr \/>\n<h1>Container Image&#8217;ini ve Artifact&#8217;lerini \u0130mzalamak<\/h1>\n<p><a href=\"\/wp-content\/uploads\/2024\/02\/file-_23_a643e707-b210-4279-849a-ed39b9e32b81.webp\"><img decoding=\"async\" class=\"aligncenter wp-image-4493 lazyload\" data-src=\"\/wp-content\/uploads\/2024\/02\/file-_23_a643e707-b210-4279-849a-ed39b9e32b81.webp\" alt=\"\" width=\"320\" height=\"400\" data-srcset=\"https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/file-_23_a643e707-b210-4279-849a-ed39b9e32b81.webp 720w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/file-_23_a643e707-b210-4279-849a-ed39b9e32b81-240x300.webp 240w\" data-sizes=\"(max-width: 320px) 100vw, 320px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 320px; --smush-placeholder-aspect-ratio: 320\/400;\" \/><\/a><\/p>\n<p>Bu noktaya kadar Order <em>API<\/em> &#8216;\u0131n\u0131n container image&#8217;ini olu\u015fturduk ve ilgili container&#8217;\u0131 g\u00fcvenlik taramas\u0131ndan ge\u00e7irdik. Ard\u0131dan ilgili g\u00fcvenlik sonu\u00e7lar\u0131n\u0131 software supply chain&#8217;in bir artifact&#8217;i olarak <em>ACR<\/em> \u00fczerinde <em>ORAS<\/em> vas\u0131tas\u0131yla saklad\u0131k. Ayr\u0131ca software supply chain&#8217;i daha etkili bir \u015fekilde y\u00f6netebilmek, \u00fczerinde \u015feffafl\u0131k ve g\u00f6r\u00fcn\u00fcrl\u00fc\u011fe sahip olabilmek ad\u0131na container&#8217;\u0131n <em>SBOM<\/em> dok\u00fcman\u0131n\u0131 da olu\u015fturduk ve saklad\u0131k.<\/p>\n<p>\u015eimdi bir di\u011fer \u00f6nemli a\u015fama ise, olu\u015fturmu\u015f oldu\u011fumuz container image&#8217;ini ve artifact&#8217;lerini imzalamak. Bir software da\u011f\u0131t\u0131c\u0131s\u0131 olarak imzalama a\u015famas\u0131 veya bir software t\u00fcketicisi olarak verilen imzay\u0131 do\u011frulama a\u015famas\u0131, software supply chain i\u00e7erisinde g\u00fcveni olduk\u00e7a artt\u0131ran \u00f6nemli bir unsurdur.<\/p>\n<p>Bu sayede bir container image&#8217;inin b\u00fct\u00fcnl\u00fc\u011f\u00fcn\u00fc, kayna\u011f\u0131n\u0131 ve olu\u015fturulmas\u0131ndan bu yana herhangi bir de\u011fi\u015fikli\u011fe u\u011framad\u0131\u011f\u0131n\u0131 do\u011frulayabilir, yaz\u0131l\u0131m geli\u015ftirme ve da\u011f\u0131t\u0131m s\u00fcre\u00e7leri i\u00e7erisine do\u011fal olarak bir <strong>g\u00fcvenilirlik<\/strong> getirebiliriz.<\/p>\n<p>Ben bu noktada imzalama ve imzalanm\u0131\u015f artifact&#8217;leri do\u011frulama i\u015flemleri i\u00e7in, <strong><em>Notary<\/em><\/strong> <em><strong>Project <\/strong><\/em>&#8216;den yararlanaca\u011f\u0131m. Dilerseniz <strong><em>Sigstore<\/em><\/strong> projesinin <strong><em>Cosign<\/em><\/strong> arac\u0131na da bir g\u00f6z atabilirsiniz. <em>Sigstore,<\/em>\u00a0olduk\u00e7a geni\u015f kapsaml\u0131 bir ekosistem sunmaktad\u0131r.<\/p>\n<p><em>Notation CLI<\/em>, <em>OCI<\/em> artifact&#8217;lerini imzalayabilmemizi ve kolayca do\u011frulayabilmemizi sa\u011flayan, <em>Notary Project<\/em> specification&#8217;lar\u0131n\u0131 implemente eden bir supply chain\u00a0arac\u0131d\u0131r. \u015eimdi ilk olarak a\u015fa\u011f\u0131daki gibi pipeline&#8217;a\u00a0&#8220;<em>SigningStage<\/em>&#8221; ad\u0131nda yeni bir stage ekleyelim ve <em>Notation CLI<\/em> &#8216;\u0131 bu stage i\u00e7in haz\u0131rlayal\u0131m.<\/p>\n<pre>variables:\r\n  ...\r\n  notationVersion: '1.1.0'\r\n  notationTestKeyName: 'order-api.io'<\/pre>\n<pre>- stage: SigningStage\r\n  displayName: 'Sign Artifacts'\r\n  dependsOn: BuildAndScanStage\r\n  jobs:\r\n  - job: SignContainerArtifacts\r\n    displayName: 'Sign container artifacts'\r\n    steps:\r\n    - task: Bash@3\r\n      displayName: 'Download &amp; Prepare Notation v$(notationVersion)'\r\n      inputs:\r\n        targetType: 'inline'\r\n        script: |\r\n          wget https:\/\/github.com\/notaryproject\/notation\/releases\/download\/v$(notationVersion)\/notation_$(notationVersion)_linux_amd64.tar.gz\r\n          tar xvzf notation_$(notationVersion)_linux_amd64.tar.gz\r\n          sudo mv notation \/usr\/local\/bin\r\n          \r\n          notation cert generate-test --default $(notationTestKeyName)<\/pre>\n<p><em>Notation<\/em>\u00a0&#8216;\u0131n haz\u0131rlanmas\u0131ndan sonra ise, kolay bir \u00f6rnek ger\u00e7ekle\u015ftirebilmek ad\u0131na <em>Notation<\/em> &#8216;\u0131n imzalama i\u015flemlerinde kullanabilece\u011fi &#8220;<em>order-api.io<\/em>&#8221; isimli test <em>RSA<\/em> key&#8217;ini ve do\u011frulama i\u015flemleri i\u00e7in kullan\u0131yor olaca\u011f\u0131 test self-signed X.509 certificate&#8217;inin olu\u015fturulmas\u0131n\u0131 sa\u011fl\u0131yoruz. Key ve certificate&#8217;in olu\u015fturulmas\u0131n\u0131n yan\u0131 s\u0131ra, ilgili key&#8217;i varsay\u0131lan imzalama key&#8217;i olarak da ayarlamaktad\u0131r. Ayr\u0131ca certificate&#8217;i ise <em>Certificate Authority<\/em> (<em>CA<\/em>) olarak &#8220;<em>order-api.io<\/em>&#8221; isimli trust store&#8217;a eklemektedir. Elbette production ortamlar\u0131 i\u00e7in self-signed bir test certificate&#8217;i yerine g\u00fcvenilir bir <em>CA<\/em> taraf\u0131ndan olu\u015fturulmu\u015f bir certificate ile ilerlememiz, g\u00fcvenlik a\u00e7\u0131s\u0131ndan faydam\u0131za olacakt\u0131r. Ayr\u0131ca key&#8217;ler ve certificate&#8217;ler i\u00e7in <em>Notation<\/em> &#8216;\u0131n <a href=\"https:\/\/github.com\/Azure\/notation-azure-kv\" target=\"_blank\" rel=\"noopener\"><strong><em>Azure Key Vault<\/em><\/strong><\/a> ve <a href=\"https:\/\/docs.aws.amazon.com\/signer\/latest\/developerguide\/image-signing-prerequisites.html\" target=\"_blank\" rel=\"noopener\"><em><strong>AWS Signer<\/strong><\/em><\/a> entegrasyonu da bulunmaktad\u0131r.<\/p>\n<p>\u00d6rnek pipeline&#8217;a geri d\u00f6necek olursak,\u00a0imzalama i\u015flemlerini ger\u00e7ekle\u015ftirece\u011fimiz task&#8217;lar\u0131 a\u015fa\u011f\u0131daki gibi ekleyeme ba\u015flayabiliriz.<\/p>\n<pre>    - task: AzureCLI@2\r\n      displayName: 'Sign the $(orderAPIImageName) container image'\r\n      inputs:\r\n        azureSubscription: 'DevOpsPoC'\r\n        scriptType: 'bash'\r\n        scriptLocation: 'inlineScript'\r\n        inlineScript: |\r\n          az acr login --name $(acrName)\r\n\r\n          docker pull $(acrName).azurecr.io\/$(orderAPIImageName):1.0.0\r\n          \r\n          CONTAINER_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $(acrName).azurecr.io\/$(orderAPIImageName):1.0.0) &amp;&amp; CONTAINER_DIGEST=${CONTAINER_DIGEST#*@}\r\n          notation sign --signature-format cose --key $(notationTestKeyName) $(acrName).azurecr.io\/$(orderAPIImageName)@$CONTAINER_DIGEST\r\n    - task: AzureCLI@2\r\n      displayName: 'Sign the $(orderAPIImageName) container scan result'\r\n      inputs:\r\n        azureSubscription: 'DevOpsPoC'\r\n        scriptType: 'bash'\r\n        scriptLocation: 'inlineScript'\r\n        inlineScript: |\r\n          VULNERABILITY_SCAN_RESULT_DIGEST=$(oras discover -o json --artifact-type 'application\/sarif+json' $(acrName).azurecr.io\/$(orderAPIImageName):1.0.0 | jq -r \".manifests[0].digest\")\r\n          notation sign --signature-format cose --key $(notationTestKeyName) $(acrName).azurecr.io\/$(orderAPIImageName)@$VULNERABILITY_SCAN_RESULT_DIGEST\r\n    - task: AzureCLI@2\r\n      displayName: 'Sign the $(orderAPIImageName) container SBOM document'\r\n      inputs:\r\n        azureSubscription: 'DevOpsPoC'\r\n        scriptType: 'bash'\r\n        scriptLocation: 'inlineScript'\r\n        inlineScript: |\r\n          SBOM_DIGEST=$(oras discover -o json --artifact-type 'application\/spdx+json' $(acrName).azurecr.io\/$(orderAPIImageName):1.0.0 | jq -r \".manifests[0].digest\")\r\n          notation sign --signature-format cose --key $(notationTestKeyName) $(acrName).azurecr.io\/$(orderAPIImageName)@$SBOM_DIGEST<\/pre>\n<p>Dahil etmi\u015f oldu\u011fumuz bu \u00fc\u00e7 task ile s\u0131ras\u0131yla, <em>Order API<\/em> container&#8217;\u0131n\u0131, container g\u00fcvenlik taramas\u0131 sonu\u00e7lar\u0131n\u0131 ve container <em>SBOM<\/em> dok\u00fcman\u0131n\u0131 <em>Notation<\/em> yard\u0131m\u0131yla imzal\u0131yor <em>ACR<\/em> \u00fczerinde sakl\u0131yoruz. Ayr\u0131ca &#8220;<em>tag<\/em>&#8221; bilgileri de\u011fi\u015ftirilebilir ve farkl\u0131 container image&#8217;lerine referans edebilir bir yap\u0131da oldu\u011fu i\u00e7in, imzalama s\u0131ras\u0131nda ilgili artifact&#8217;leri belirtebilmek i\u00e7in &#8220;<em>digest<\/em>&#8221; bilgilerini kullan\u0131yoruz. Ayr\u0131ca, imza format\u0131 olarak ise <em>IETF<\/em> taraf\u0131ndan standart olarak kabul edilen &#8220;<em>cose<\/em>&#8221; format\u0131n\u0131 kullan\u0131yoruz. Daha \u00f6nce ilgili container image&#8217;i ile ili\u015fkilendirmi\u015f oldu\u011fumuz artifact&#8217;lere eri\u015febilmek ve digest bilgilerini elde edebilmek i\u00e7in ise, bir \u00f6nceki a\u015famalarda bahsetti\u011fimiz gibi <em>ORAS CLI<\/em> &#8216;\u0131n\u0131n &#8220;<em>discover<\/em>&#8221; komutundan yararlan\u0131yoruz.<\/p>\n<p>\u015eimdi ilgili container&#8217;\u0131n tekrardan artifact graph&#8217;\u0131na bakt\u0131\u011f\u0131m\u0131zda, a\u015fa\u011f\u0131daki gibi herbir artifact i\u00e7in imza bilgilerinin dahil edildi\u011fini g\u00f6rebiliriz.<\/p>\n<p><a href=\"\/wp-content\/uploads\/2024\/02\/notary_signatures.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-4501 lazyload\" data-src=\"\/wp-content\/uploads\/2024\/02\/notary_signatures.jpg\" alt=\"\" width=\"2042\" height=\"526\" data-srcset=\"https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/notary_signatures.jpg 2042w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/notary_signatures-300x77.jpg 300w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/notary_signatures-1024x264.jpg 1024w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/notary_signatures-768x198.jpg 768w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/02\/notary_signatures-1536x396.jpg 1536w\" data-sizes=\"(max-width: 2042px) 100vw, 2042px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 2042px; --smush-placeholder-aspect-ratio: 2042\/526;\" \/><\/a><\/p>\n<p>B\u00f6ylece, sadece container image&#8217;lerini imzalaman\u0131n yan\u0131 s\u0131ra di\u011fer supply chain artifact&#8217;lerini de imzalayarak veya imzalanm\u0131\u015fsa ilerleyen s\u00fcre\u00e7lerde ilgili imzalar\u0131 do\u011frulayarak, ilgili di\u011fer artifact&#8217;lerin de g\u00fcvenilir bir kaynak taraf\u0131ndan olu\u015fturuldu\u011funun <strong>do\u011frulanabilmesini<\/strong> sa\u011fl\u0131yoruz. Dolay\u0131s\u0131yla, ilgili containerized uygulaman\u0131n <strong>b\u00fct\u00fcnl\u00fc\u011f\u00fcn\u00fc<\/strong> korumaya y\u00f6nelik ekstra bir g\u00fcvenilirlik getirmi\u015f oluyoruz.<\/p>\n<p>Art\u0131k bu noktada olu\u015fturulma a\u015famas\u0131 s\u00fcre\u00e7lerindeki temel i\u015flemleri tamamlad\u0131k. Tabi ihtiya\u00e7lar do\u011frultusunda siz bu s\u00fcre\u00e7lerin i\u00e7erisine code coverage sonu\u00e7lar\u0131 gibi farkl\u0131 ara\u00e7lar\u0131 da dahil edebilirsiniz.<\/p>\n<p>\u015eimdi da\u011f\u0131tma a\u015famas\u0131 s\u00fcre\u00e7lerine ge\u00e7ebiliriz.<\/p>\n<hr \/>\n<h1>Da\u011f\u0131t\u0131lma \u00d6ncesi Artifact&#8217;lerin Do\u011frulanmas\u0131<\/h1>\n<p>Da\u011f\u0131tma \u00f6ncesi imzalanm\u0131\u015f container image&#8217;lerinin ve bu image&#8217;lerle ili\u015fkilendirilmi\u015f artifact&#8217;lerin do\u011frulanmas\u0131, software supply chain i\u00e7inde g\u00fcvenilirlik, b\u00fct\u00fcnl\u00fck ve g\u00fcvenlik sa\u011flamak i\u00e7in kritik bir ad\u0131md\u0131r. Bu do\u011frulama s\u00fcre\u00e7lerini, ilgili artifact&#8217;in g\u00fcvenilir kaynaklardan geldi\u011fini, b\u00fct\u00fcnl\u00fc\u011f\u00fcn\u00fc korudu\u011funu ve ilgili g\u00fcvenlik mekanizmalar\u0131ndan ge\u00e7ti\u011fini do\u011frulamak i\u00e7in kullanabilmekteyiz.<\/p>\n<p>Bu noktada yine <em>ORAS<\/em> ve <em>Notation CLI&#8217; <\/em>\u0131ndan yararlanaca\u011f\u0131z.<\/p>\n<p>Daha \u00f6nce <em>Notation<\/em> &#8216;\u0131n imzalama i\u015flemlerinde kullanabilece\u011fi test <em>RSA<\/em> key&#8217;ini ve do\u011frulama i\u015flemleri i\u00e7in kullanaca\u011f\u0131 test self-signed certificate&#8217;lerini &#8220;<em>SigningStage<\/em>&#8221; i\u00e7erisinde local olarak olu\u015fturmu\u015ftuk. Do\u011frulama i\u015flemlerini ger\u00e7ekle\u015ftirebilmek i\u00e7in ise, yeni olu\u015fturaca\u011f\u0131m\u0131z stage i\u00e7erisinde de bu certificate bilgilerine ihtiyac\u0131m\u0131z var. \u00d6ncelikle bunun i\u00e7in &#8220;<em>SigningStage<\/em>&#8221; i\u00e7erisinde a\u015fa\u011f\u0131daki task&#8217;\u0131 son a\u015fama olarak ekleyelim ve ilgili certificate path&#8217;ini pipeline artifact&#8217;i olarak payla\u015fal\u0131m.<\/p>\n<pre>    - task: PublishPipelineArtifact@1\r\n      inputs:\r\n        targetPath: '$(Agent.BuildDirectory)\/..\/..\/.config\/notation\/localkeys'\r\n        artifact: 'notation'\r\n        publishLocation: 'pipeline'<\/pre>\n<p>\u015eimdi &#8220;<em>Dev<\/em>&#8221; ad\u0131nda a\u015fa\u011f\u0131daki gibi yeni bir stage ekleyelim ve pipeline artifact&#8217;i olarak payla\u015fm\u0131\u015f oldu\u011fumuz certificate path&#8217;ini, bu stage i\u00e7erisinde de ayn\u0131 \u015fekilde konumland\u0131ral\u0131m. Bu stage&#8217;i \u00f6rnek uygulamam\u0131z olan <em>Order API<\/em> &#8216;\u0131n\u0131 development ortam\u0131na da\u011f\u0131taca\u011f\u0131m\u0131z stage olarak d\u00fc\u015f\u00fcnebiliriz.<\/p>\n<pre>- stage: Dev\r\n  displayName: 'Deploy to Dev'\r\n  dependsOn: SigningStage\r\n  jobs:\r\n  - job: VerifyArtifacts\r\n    displayName: 'Verify Artifacts'\r\n    steps:\r\n    - task: DownloadPipelineArtifact@2\r\n      inputs:\r\n        buildType: 'current'\r\n        artifactName: 'notation'\r\n        downloadPath: '$(Agent.BuildDirectory)\/..\/..\/.config\/notation\/localkeys'<\/pre>\n<p>Bu noktada do\u011frulama i\u015flemlerini ger\u00e7ekle\u015ftirebilmek i\u00e7in &#8220;<em>VerifyArtifacts<\/em>&#8221; ad\u0131nda yeni bir job tan\u0131mlad\u0131k ve ilk a\u015famas\u0131 olarak, pipeline artifact&#8217;i olarak payla\u015fm\u0131\u015f oldu\u011fumuz certificate path&#8217;ini ayn\u0131 \u015fekilde konumland\u0131rd\u0131k. Bir sonraki a\u015fama olarak ise yine <em>Notation CLI<\/em> &#8216;\u0131n\u0131 ilgili stage i\u00e7in haz\u0131rlayaca\u011f\u0131z.<\/p>\n<p><em>Notation CLI<\/em> &#8216;\u0131n\u0131 haz\u0131rlarken payla\u015fm\u0131\u015f oldu\u011fumuz certificate&#8217;i de <em>Notation<\/em> i\u00e7erisine dahil edip, ayr\u0131ca ek olarak bir g\u00fcven politikas\u0131 da tan\u0131mlayaca\u011f\u0131z. <em>Notation<\/em> ile bir container image&#8217;ini veya herhangi imzalanm\u0131\u015f bir artifact&#8217;i do\u011frulayabilmek i\u00e7in, g\u00fcvenlik politikalar\u0131 tan\u0131mlamam\u0131z gerekmektedir. Bu politikalar ile, artifact&#8217;leri imzalayan g\u00fcvenilir kaynaklar\u0131 ve uygulanacak olan do\u011frulama seviyelerini belirleyebilmekteyiz.<\/p>\n<p>\u015eimdi projenin ana klas\u00f6r\u00fc alt\u0131nda &#8220;<em>trust-policy.json<\/em>&#8221; ad\u0131nda a\u015fa\u011f\u0131daki gibi bir g\u00fcven politikas\u0131 olu\u015ftural\u0131m.<\/p>\n<pre>{\r\n    \"version\": \"1.0\",\r\n    \"trustPolicies\": [\r\n        {\r\n            \"name\": \"mytodo-store-images\",\r\n            \"registryScopes\": [ \"*\" ],\r\n            \"signatureVerification\": {\r\n                \"level\" : \"strict\"\r\n            },\r\n            \"trustStores\": [ \"ca:order-api.io\" ],\r\n            \"trustedIdentities\": [\r\n                \"*\"\r\n            ]\r\n        }\r\n    ]\r\n}<\/pre>\n<p>Bu noktada, &#8220;<em>registryScopes<\/em>&#8221; key&#8217;i ile, tan\u0131mlam\u0131\u015f oldu\u011fumuz bu politikan\u0131n uygulanaca\u011f\u0131 registry artifact&#8217;lerini belirtebilmekteyiz. Ben \u00f6rnek olmas\u0131 a\u00e7\u0131s\u0131ndan spesifik bir registry artifact&#8217;i belirtmedim, genel olarak uygulad\u0131m. Uygulanacak olan do\u011frulama seviyesini ise &#8220;<em>signatureVerification<\/em>&#8221; key&#8217;i ile belirtebilmekteyiz. Ben bu noktada, &#8220;<em>strict<\/em>&#8221; seviyesini se\u00e7tim. Bunun d\u0131\u015f\u0131nda &#8220;<em>permissive<\/em>&#8220;, &#8220;<em>audit<\/em>&#8221; ve &#8220;<em>skip<\/em>&#8221; se\u00e7enekleri de bulunmaktad\u0131r.<\/p>\n<p>Belirlemi\u015f oldu\u011fumuz bu do\u011frulama seviyesi ile <em>Notation<\/em>, ilgili artifact&#8217;ler \u00fczerinde &#8220;<em>Integrity<\/em>&#8220;, &#8220;<em>Authenticity<\/em>&#8220;, &#8220;<em>Authentic timestamp<\/em>&#8220;, &#8220;<em>Expiry<\/em>&#8221; ve &#8220;<em>Revocation check<\/em>&#8221; gibi farkl\u0131 kontroller ger\u00e7ekle\u015ftirecektir.<\/p>\n<blockquote><p><strong><em>NOT<\/em><\/strong>: &#8220;<em>Authenticity<\/em>&#8221; kontrol\u00fc ile ilgili artifact&#8217;in g\u00fcvendi\u011fimiz bir kaynak taraf\u0131ndan m\u0131 olu\u015fturuldu\u011funa bakarken, &#8220;<em>Authentic timestamp<\/em>&#8221; kontrol\u00fc ile de ilgili artifact&#8217;in ilgili certificate ge\u00e7erliyken imzalan\u0131p imzalanmad\u0131\u011f\u0131na da bakmaktad\u0131r.<\/p><\/blockquote>\n<p>Ayr\u0131ca &#8220;<em>trustStores<\/em>&#8221; key&#8217;i ile, bir sonraki a\u015famada <em>CA<\/em> olarak dahil edece\u011fimiz ilgili trusted root&#8217;u bar\u0131nd\u0131racak olan &#8220;<em>order-api.io<\/em>&#8221; trusted store&#8217;unu belirtiyoruz. Artifact&#8217;leri imzalayan g\u00fcvenebilece\u011fimiz kaynaklar\u0131 ise, &#8220;<em>trustedIdentities<\/em>&#8221; key&#8217;i ile tan\u0131ml\u0131yoruz. Ben bu noktada, &#8220;*&#8221; de\u011ferini belirterek, trusted store i\u00e7erisine ekleyece\u011fimiz <em>CA<\/em> taraf\u0131ndan verilmi\u015f t\u00fcm certificate&#8217;leri g\u00fcvenilir kimlikler, kaynaklar olarak belirledim. Bu konu hakk\u0131nda daha fazla bilgiye ise, <em><a href=\"https:\/\/github.com\/notaryproject\/specifications\/blob\/v1.0.0\/specs\/trust-store-trust-policy.md\" target=\"_blank\" rel=\"noopener\">buradan<\/a><\/em> eri\u015febilirsiniz.<\/p>\n<p>\u015eimdi <em>Notation CLI<\/em> &#8216;\u0131n\u0131 &#8220;<em>Dev<\/em>&#8221; stage&#8217;i i\u00e7in haz\u0131rlayabiliriz.<\/p>\n<pre>    - task: Bash@3\r\n      displayName: 'Prepare Notation v$(notationVersion)'\r\n      inputs:\r\n        targetType: 'inline'\r\n        script: |\r\n          ls\r\n          wget https:\/\/github.com\/notaryproject\/notation\/releases\/download\/v$(notationVersion)\/notation_$(notationVersion)_linux_amd64.tar.gz\r\n          tar xvzf notation_$(notationVersion)_linux_amd64.tar.gz\r\n          sudo mv notation \/usr\/local\/bin\r\n\r\n          notation policy import .\/trust-policy.json\r\n          notation cert add --type ca --store $(notationTestKeyName) $(Agent.BuildDirectory)\/..\/..\/.config\/notation\/localkeys\/order-api.io.crt<\/pre>\n<p>Bu noktada daha \u00f6nce &#8220;<em>SigningStage<\/em>&#8221; i\u00e7erisinde yapt\u0131\u011f\u0131m\u0131zdan farkl\u0131 olarak, tan\u0131mlam\u0131\u015f oldu\u011fumuz &#8220;<em>trust-policy<\/em>&#8221; isimli g\u00fcven politikas\u0131n\u0131 <em>Notation<\/em> i\u00e7erisine dahil ediyoruz. Ard\u0131ndan bir \u00f6nceki stage&#8217;den elde etmi\u015f oldu\u011fumuz &#8220;<em>order-api.io<\/em>&#8221; isimli <em>CA<\/em> certificate&#8217;ini de yine ayn\u0131 isimde bir trusted store&#8217;a ekliyoruz.<\/p>\n<p><em>Notation CLI<\/em> &#8216;\u0131n\u0131 g\u00fcven politikas\u0131 ve ilgili do\u011frulama certificate&#8217;i ile donatt\u0131\u011f\u0131m\u0131za g\u00f6re, art\u0131k do\u011frulama a\u015famas\u0131na ge\u00e7ebiliriz. Bu a\u015fama, ilgili container image&#8217;inin ve ili\u015fkili artifact&#8217;lerinin <strong>orijinal<\/strong> ve <strong>g\u00fcvenilir<\/strong> bir kaynaktan geldi\u011fini do\u011frulamam\u0131za olanak tan\u0131maktad\u0131r. Bu kaynak, bizim taraf\u0131m\u0131zdan olabilece\u011fi gibi, farkl\u0131 bir ekip veya farkl\u0131 bir yay\u0131mc\u0131 da olabilir. Ayr\u0131ca biz bu noktada tek bir pipeline \u00fczerinden ilerledik ancak CD a\u015famas\u0131 i\u00e7in farkl\u0131 s\u00fcre\u00e7ler ve pipeline&#8217;lara da sahip olabiliriz. Bu do\u011frulama s\u00fcreci ayr\u0131ca ilgili artifact&#8217;lerin olu\u015fturuldu\u011fu, imzaland\u0131\u011f\u0131 ve da\u011f\u0131t\u0131ld\u0131\u011f\u0131 s\u00fcre\u00e7ler boyunca herhangi bir <strong>de\u011fi\u015fikli\u011fe<\/strong> u\u011framad\u0131klar\u0131ndan emin olabilmemizi de sa\u011flamaktad\u0131r. Ayr\u0131ca bu a\u015famada da\u011f\u0131t\u0131lmak istenilen ilgili uygulaman\u0131n, yani \u00f6rne\u011fimiz gere\u011fi <em>Order API<\/em> &#8216;\u0131n\u0131n, farkl\u0131 g\u00fcvenlik a\u015famalar\u0131ndan ge\u00e7ip ge\u00e7medi\u011fini kontrol edebilir, buna g\u00f6re farkl\u0131 politikalar da zorunlu k\u0131labilmekteyiz.<\/p>\n<p>Imza do\u011frulama i\u015flemini ger\u00e7ekle\u015ftirebilmemiz i\u00e7in yapmam\u0131z gereken ise, a\u015fa\u011f\u0131daki gibi <em>Notation<\/em> &#8216;\u0131n &#8220;<em>verify<\/em>&#8221; komutunu \u00e7al\u0131\u015ft\u0131rmak.<\/p>\n<pre>notation verify IMAGE_URL@DIGEST<\/pre>\n<pre>    - task: AzureCLI@2\r\n      displayName: 'Verify the $(orderAPIImageName) container image signature'\r\n      inputs:\r\n        azureSubscription: 'DevOpsPoC'\r\n        scriptType: 'bash'\r\n        scriptLocation: 'inlineScript'\r\n        inlineScript: |\r\n          az acr login --name $(acrName)\r\n\r\n          docker pull $(acrName).azurecr.io\/$(orderAPIImageName):1.0.0\r\n          \r\n          CONTAINER_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $(acrName).azurecr.io\/$(orderAPIImageName):1.0.0) &amp;&amp; CONTAINER_DIGEST=${CONTAINER_DIGEST#*@}\r\n          notation verify $(acrName).azurecr.io\/$(orderAPIImageName)@$CONTAINER_DIGEST<\/pre>\n<p>Bu noktada ilgili container image&#8217;inin digest bilgisini kullanarak, <em>Notation<\/em> ile imza do\u011frulama i\u015flemini ger\u00e7ekle\u015ftiriyoruz. Ayr\u0131ca ilgili container image&#8217;inin i\u00e7erisinde herhangi bir imza manifest&#8217;i bar\u0131nd\u0131rmamas\u0131 veya bar\u0131nd\u0131rd\u0131\u011f\u0131 imza trusted store i\u00e7erisine dahil etmi\u015f oldu\u011fumuz &#8220;<em>order-api.io<\/em>&#8221; isimli <em>CA<\/em> certificate&#8217;i taraf\u0131ndan imzalanmamas\u0131 durumunda, do\u011frulaman\u0131n ba\u015far\u0131s\u0131z olmas\u0131n\u0131 sa\u011fl\u0131yoruz.<\/p>\n<p>Ba\u015far\u0131l\u0131 durumda ise a\u015fa\u011f\u0131daki gibi bir sonu\u00e7 elde edece\u011fiz:<\/p>\n<p><a href=\"\/wp-content\/uploads\/2024\/03\/signature-verification-notary.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-4525 lazyload\" data-src=\"\/wp-content\/uploads\/2024\/03\/signature-verification-notary.jpg\" alt=\"\" width=\"2466\" height=\"90\" data-srcset=\"https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/signature-verification-notary.jpg 2466w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/signature-verification-notary-300x11.jpg 300w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/signature-verification-notary-1024x37.jpg 1024w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/signature-verification-notary-768x28.jpg 768w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/signature-verification-notary-1536x56.jpg 1536w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/signature-verification-notary-2048x75.jpg 2048w\" data-sizes=\"(max-width: 2466px) 100vw, 2466px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 2466px; --smush-placeholder-aspect-ratio: 2466\/90;\" \/><\/a><\/p>\n<p>\u015eimdi a\u015fa\u011f\u0131daki task&#8217;lar\u0131 da ekleyerek, container ile ili\u015fkilendirmi\u015f oldu\u011fumuz di\u011fer artifact&#8217;lerin imzalar\u0131n\u0131 da do\u011frulayal\u0131m.<\/p>\n<pre>    - task: AzureCLI@2\r\n      displayName: 'Verify the $(orderAPIImageName) container scan result'\r\n      inputs:\r\n        azureSubscription: 'DevOpsPoC'\r\n        scriptType: 'bash'\r\n        scriptLocation: 'inlineScript'\r\n        inlineScript: |\r\n          az acr login --name $(acrName)\r\n          RESULT=$(oras discover -o json --artifact-type 'application\/sarif+json' $(acrName).azurecr.io\/$(orderAPIImageName):1.0.0 | jq -r \".manifests[0]\")\r\n\r\n          if [ \"$RESULT\" = \"null\" ]; then\r\n            echo \"Container scan result does not exist.\"\r\n            exit 1\r\n          else\r\n            VULNERABILITY_SCAN_RESULT_DIGEST=$(echo \"$RESULT\" | jq -r \".digest\")\r\n          \r\n            notation verify $(acrName).azurecr.io\/$(orderAPIImageName)@$VULNERABILITY_SCAN_RESULT_DIGEST\r\n          fi\r\n    - task: AzureCLI@2\r\n      displayName: 'Verify the $(orderAPIImageName) container SBOM document'\r\n      inputs:\r\n        azureSubscription: 'DevOpsPoC'\r\n        scriptType: 'bash'\r\n        scriptLocation: 'inlineScript'\r\n        inlineScript: |\r\n          az acr login --name $(acrName)\r\n          RESULT=$(oras discover -o json --artifact-type 'application\/spdx+json' $(acrName).azurecr.io\/$(orderAPIImageName):1.0.0 | jq -r \".manifests[0]\")\r\n\r\n          if [ \"$RESULT\" = \"null\" ]; then\r\n            echo \"Container SBOM document does not exist.\"\r\n            exit 1\r\n          else\r\n            SBOM_DIGEST=$(echo \"$RESULT\" | jq -r \".digest\")\r\n          \r\n            notation verify $(acrName).azurecr.io\/$(orderAPIImageName)@$SBOM_DIGEST\r\n          fi<\/pre>\n<p>Bu a\u015famada g\u00f6rd\u00fc\u011f\u00fcm\u00fcz gibi basit bir kontrol ekleyerek, ilgili container image&#8217;inin gerekli g\u00fcvenlik kontrollerinden ge\u00e7ip ge\u00e7medi\u011fini belirliyor ve buna g\u00f6re pipeline&#8217;\u0131n ba\u015far\u0131l\u0131 veya ba\u015far\u0131s\u0131z olmas\u0131n\u0131 sa\u011fl\u0131yoruz. Devam\u0131nda ise ilgili artifact&#8217;lerin imzalar\u0131n\u0131n do\u011frulama i\u015flemlerini <em>Notation<\/em> vas\u0131tas\u0131yla ger\u00e7ekle\u015ftiriyoruz.<\/p>\n<p>B\u00f6ylece sadece container image&#8217;inin orijinalli\u011fini do\u011frulaman\u0131n yan\u0131 s\u0131ra, onunla ili\u015fkilendirilmi\u015f olan di\u011fer artifact&#8217;leri de imzalayarak ve do\u011frulayarak, software supply chain&#8217;in tamam\u0131nda ek bir g\u00fcven zinciri sa\u011flam\u0131\u015f oluyoruz.<\/p>\n<p><a href=\"\/wp-content\/uploads\/2024\/03\/signature_verification_notary.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-4527 lazyload\" data-src=\"\/wp-content\/uploads\/2024\/03\/signature_verification_notary.jpg\" alt=\"\" width=\"2286\" height=\"1166\" data-srcset=\"https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/signature_verification_notary.jpg 2286w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/signature_verification_notary-300x153.jpg 300w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/signature_verification_notary-1024x522.jpg 1024w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/signature_verification_notary-768x392.jpg 768w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/signature_verification_notary-1536x783.jpg 1536w, https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/signature_verification_notary-2048x1045.jpg 2048w\" data-sizes=\"(max-width: 2286px) 100vw, 2286px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 2286px; --smush-placeholder-aspect-ratio: 2286\/1166;\" \/><\/a><\/p>\n<hr \/>\n<h1>Son S\u00f6zler<\/h1>\n<p>Makale olduk\u00e7a uzun olsa da, umar\u0131m containerized uygulamalar ba\u011flam\u0131nda software supply chain&#8217;in g\u00fcvenli\u011fine y\u00f6nelik bir bak\u0131\u015f a\u00e7\u0131s\u0131 sunabilmi\u015fimdir.<\/p>\n<p>Makalenin bir sonraki b\u00f6l\u00fcm\u00fcnde ise, <em>OPA Gatekeeper<\/em> ve <em>Ratify Verification Engine<\/em> kullanarak, container image&#8217;i ile ili\u015fkilendirmi\u015f oldu\u011fumuz <em>SBOM<\/em> dok\u00fcman\u0131, container g\u00fcvenlik taramas\u0131 sonucu gibi artifact&#8217;lerin detayl\u0131 kontrollerini kubernetes ortam\u0131na yay\u0131mlamadan \u00f6nce \u00e7e\u015fitli politikalar ile nas\u0131l ger\u00e7ekle\u015ftirebilece\u011fimize odaklanaca\u011f\u0131z.<\/p>\n<h2>Referanslar<\/h2>\n<blockquote><p><em><a href=\"https:\/\/learn.microsoft.com\/en-gb\/azure\/container-registry\/container-registry-tutorial-sign-build-push\" target=\"_blank\" rel=\"noopener\">Sign container images with Notation and Azure Key Vault using a self-signed certificate &#8211; Azure Container Registry | Microsoft Learn<\/a><br \/>\n<a href=\"https:\/\/github.com\/notaryproject\/notation\" target=\"_blank\" rel=\"noopener\">GitHub &#8211; notaryproject\/notation: A CLI tool to sign and verify artifacts<\/a><br \/>\n<a href=\"https:\/\/notaryproject.dev\/docs\/quickstart-guides\/quickstart-sign-image-artifact\/\" target=\"_blank\" rel=\"noopener\">Quickstart: Sign and validate a container image | Notary Project | A set of specifications and tools intended to provide a cross-industry standard for securing software supply chains.<\/a><br \/>\n<\/em><\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>Bildi\u011fimiz gibi modern yaz\u0131l\u0131m geli\u015ftirme ortam\u0131nda containerization&#8217;\u0131n benimsenmesi, uygulamalar\u0131n olu\u015fturulma ve da\u011f\u0131t\u0131lma \u015fekillerini olduk\u00e7a de\u011fi\u015ftirdi. Container&#8217;lar\u0131n lightweight ve self-contained birimler olmas\u0131, uygulamalar\u0131m\u0131z\u0131 farkl\u0131 ortamlar aras\u0131nda consistent bir \u015fekilde kolayca ta\u015f\u0131yabilme ve h\u0131zl\u0131 bir \u015fekilde scale edebilme gibi bir \u00e7ok farkl\u0131 anlamda avantajlar ve esneklikler sa\u011flamaktad\u0131r.&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/gokhan-gokalp.com\/tr\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/\">Devam\u0131n\u0131 okuyun<span class=\"screen-reader-text\">Containerized Uygulamalar\u0131n Supply Chain&#8217;ini G\u00fcvence Alt\u0131na Alarak G\u00fcvenlik Risklerini Azaltma (G\u00fcvenlik Taramas\u0131, SBOM&#8217;lar, Artifact&#8217;lerin \u0130mzalanmas\u0131 ve Do\u011frulanmas\u0131) &#8211; B\u00f6l\u00fcm 1<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":4547,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[418,375,680,434,368],"tags":[111,618,685,694,687,582,686,695,683,440,688,690,689,681,693,692,682,691,684],"class_list":["post-4448","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-ci-continuous-integration","category-cloud","category-containerizing","category-microservices","tag-net","tag-azure-pipeline","tag-ci-cd","tag-container-guvenligi","tag-container-registry","tag-container-security","tag-deployment","tag-guvenlik-taramasi","tag-image-signing","tag-kubernetes","tag-opa","tag-policy","tag-ratify","tag-sbom","tag-sdlc","tag-shifting-left","tag-software-supply-chain-security","tag-vulnerability","tag-vulnerability-scan","entry"],"translation":{"provider":"WPGlobus","version":"3.0.2","language":"tr","enabled_languages":["en","tr"],"languages":{"en":{"title":true,"content":true,"excerpt":false},"tr":{"title":true,"content":true,"excerpt":false}}},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Containerized Uygulamalar\u0131n Supply Chain&#039;ini G\u00fcvence Alt\u0131na Alarak G\u00fcvenlik Risklerini Azaltma (G\u00fcvenlik Taramas\u0131, SBOM&#039;lar, Artifact&#039;lerin \u0130mzalanmas\u0131 ve Do\u011frulanmas\u0131) - B\u00f6l\u00fcm 1 - G\u00f6khan G\u00f6kalp<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/gokhan-gokalp.com\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/\" \/>\n<meta property=\"og:locale\" content=\"tr_TR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Containerized Uygulamalar\u0131n Supply Chain&#039;ini G\u00fcvence Alt\u0131na Alarak G\u00fcvenlik Risklerini Azaltma (G\u00fcvenlik Taramas\u0131, SBOM&#039;lar, Artifact&#039;lerin \u0130mzalanmas\u0131 ve Do\u011frulanmas\u0131) - B\u00f6l\u00fcm 1 - G\u00f6khan G\u00f6kalp\" \/>\n<meta property=\"og:url\" content=\"https:\/\/gokhan-gokalp.com\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/\" \/>\n<meta property=\"og:site_name\" content=\"G\u00f6khan G\u00f6kalp\" \/>\n<meta property=\"article:published_time\" content=\"2024-03-18T18:50:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-03-18T20:07:25+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/software-supply-chain-security-contains.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"675\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"G\u00f6khan G\u00f6kalp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Yazan:\" \/>\n\t<meta name=\"twitter:data1\" content=\"G\u00f6khan G\u00f6kalp\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tahmini okuma s\u00fcresi\" \/>\n\t<meta name=\"twitter:data2\" content=\"48 dakika\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/gokhan-gokalp.com\\\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/gokhan-gokalp.com\\\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\\\/\"},\"author\":{\"name\":\"G\u00f6khan G\u00f6kalp\",\"@id\":\"https:\\\/\\\/gokhan-gokalp.com\\\/#\\\/schema\\\/person\\\/7e2a7fa98babd22a5fdae563c4b8cdbe\"},\"headline\":\"Containerized Uygulamalar\u0131n Supply Chain&#8217;ini G\u00fcvence Alt\u0131na Alarak G\u00fcvenlik Risklerini Azaltma (G\u00fcvenlik Taramas\u0131, SBOM&#8217;lar, Artifact&#8217;lerin \u0130mzalanmas\u0131 ve Do\u011frulanmas\u0131) &#8211; B\u00f6l\u00fcm 1\",\"datePublished\":\"2024-03-18T18:50:14+00:00\",\"dateModified\":\"2024-03-18T20:07:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/gokhan-gokalp.com\\\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\\\/\"},\"wordCount\":8095,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\\\/\\\/gokhan-gokalp.com\\\/#\\\/schema\\\/person\\\/7e2a7fa98babd22a5fdae563c4b8cdbe\"},\"image\":{\"@id\":\"https:\\\/\\\/gokhan-gokalp.com\\\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/gokhan-gokalp.com\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/software-supply-chain-security-contains.jpg\",\"keywords\":[\".NET\",\"azure pipeline\",\"ci cd\",\"container g\u00fcvenli\u011fi\",\"container registry\",\"container security\",\"deployment\",\"g\u00fcvenlik taramas\u0131\",\"image signing\",\"kubernetes\",\"OPA\",\"Policy\",\"Ratify\",\"SBOM\",\"SDLC\",\"shifting left\",\"software supply chain security\",\"vulnerability\",\"vulnerability scan\"],\"articleSection\":[\"Azure\",\"CI (Continuous Integration)\",\"Cloud\",\"Containerizing\",\"Microservices\"],\"inLanguage\":\"tr\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/gokhan-gokalp.com\\\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/gokhan-gokalp.com\\\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\\\/\",\"url\":\"https:\\\/\\\/gokhan-gokalp.com\\\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\\\/\",\"name\":\"Containerized Uygulamalar\u0131n Supply Chain'ini G\u00fcvence Alt\u0131na Alarak G\u00fcvenlik Risklerini Azaltma (G\u00fcvenlik Taramas\u0131, SBOM'lar, Artifact'lerin \u0130mzalanmas\u0131 ve Do\u011frulanmas\u0131) - B\u00f6l\u00fcm 1 - G\u00f6khan G\u00f6kalp\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/gokhan-gokalp.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/gokhan-gokalp.com\\\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/gokhan-gokalp.com\\\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/gokhan-gokalp.com\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/software-supply-chain-security-contains.jpg\",\"datePublished\":\"2024-03-18T18:50:14+00:00\",\"dateModified\":\"2024-03-18T20:07:25+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/gokhan-gokalp.com\\\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\\\/#breadcrumb\"},\"inLanguage\":\"tr\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/gokhan-gokalp.com\\\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"tr\",\"@id\":\"https:\\\/\\\/gokhan-gokalp.com\\\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\\\/#primaryimage\",\"url\":\"https:\\\/\\\/gokhan-gokalp.com\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/software-supply-chain-security-contains.jpg\",\"contentUrl\":\"https:\\\/\\\/gokhan-gokalp.com\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/software-supply-chain-security-contains.jpg\",\"width\":1200,\"height\":675},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/gokhan-gokalp.com\\\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/gokhan-gokalp.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Securing the Supply Chain of Containerized Applications to Reduce Security Risks (Security Scanning, SBOMs, Signing&#038;Verifying Artifacts) &#8211; Part 1\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/gokhan-gokalp.com\\\/#website\",\"url\":\"https:\\\/\\\/gokhan-gokalp.com\\\/\",\"name\":\"G\u00f6khan G\u00f6kalp\",\"description\":\"C# &amp; Python lover\",\"publisher\":{\"@id\":\"https:\\\/\\\/gokhan-gokalp.com\\\/#\\\/schema\\\/person\\\/7e2a7fa98babd22a5fdae563c4b8cdbe\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/gokhan-gokalp.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"tr\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/gokhan-gokalp.com\\\/#\\\/schema\\\/person\\\/7e2a7fa98babd22a5fdae563c4b8cdbe\",\"name\":\"G\u00f6khan G\u00f6kalp\",\"pronouns\":\"he\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"tr\",\"@id\":\"https:\\\/\\\/gokhan-gokalp.com\\\/wp-content\\\/litespeed\\\/avatar\\\/e645f66b6264ced10d7b6d8b1f85509b.jpg?ver=1776170659\",\"url\":\"https:\\\/\\\/gokhan-gokalp.com\\\/wp-content\\\/litespeed\\\/avatar\\\/e645f66b6264ced10d7b6d8b1f85509b.jpg?ver=1776170659\",\"contentUrl\":\"https:\\\/\\\/gokhan-gokalp.com\\\/wp-content\\\/litespeed\\\/avatar\\\/e645f66b6264ced10d7b6d8b1f85509b.jpg?ver=1776170659\",\"caption\":\"G\u00f6khan G\u00f6kalp\"},\"logo\":{\"@id\":\"https:\\\/\\\/gokhan-gokalp.com\\\/wp-content\\\/litespeed\\\/avatar\\\/e645f66b6264ced10d7b6d8b1f85509b.jpg?ver=1776170659\"},\"sameAs\":[\"https:\\\/\\\/gokhan-gokalp.com\"],\"url\":\"https:\\\/\\\/gokhan-gokalp.com\\\/tr\\\/author\\\/gok-gokalp\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Containerized Uygulamalar\u0131n Supply Chain'ini G\u00fcvence Alt\u0131na Alarak G\u00fcvenlik Risklerini Azaltma (G\u00fcvenlik Taramas\u0131, SBOM'lar, Artifact'lerin \u0130mzalanmas\u0131 ve Do\u011frulanmas\u0131) - B\u00f6l\u00fcm 1 - G\u00f6khan G\u00f6kalp","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/gokhan-gokalp.com\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/","og_locale":"tr_TR","og_type":"article","og_title":"Containerized Uygulamalar\u0131n Supply Chain'ini G\u00fcvence Alt\u0131na Alarak G\u00fcvenlik Risklerini Azaltma (G\u00fcvenlik Taramas\u0131, SBOM'lar, Artifact'lerin \u0130mzalanmas\u0131 ve Do\u011frulanmas\u0131) - B\u00f6l\u00fcm 1 - G\u00f6khan G\u00f6kalp","og_url":"https:\/\/gokhan-gokalp.com\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/","og_site_name":"G\u00f6khan G\u00f6kalp","article_published_time":"2024-03-18T18:50:14+00:00","article_modified_time":"2024-03-18T20:07:25+00:00","og_image":[{"width":1200,"height":675,"url":"https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/software-supply-chain-security-contains.jpg","type":"image\/jpeg"}],"author":"G\u00f6khan G\u00f6kalp","twitter_card":"summary_large_image","twitter_misc":{"Yazan:":"G\u00f6khan G\u00f6kalp","Tahmini okuma s\u00fcresi":"48 dakika"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/gokhan-gokalp.com\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/#article","isPartOf":{"@id":"https:\/\/gokhan-gokalp.com\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/"},"author":{"name":"G\u00f6khan G\u00f6kalp","@id":"https:\/\/gokhan-gokalp.com\/#\/schema\/person\/7e2a7fa98babd22a5fdae563c4b8cdbe"},"headline":"Containerized Uygulamalar\u0131n Supply Chain&#8217;ini G\u00fcvence Alt\u0131na Alarak G\u00fcvenlik Risklerini Azaltma (G\u00fcvenlik Taramas\u0131, SBOM&#8217;lar, Artifact&#8217;lerin \u0130mzalanmas\u0131 ve Do\u011frulanmas\u0131) &#8211; B\u00f6l\u00fcm 1","datePublished":"2024-03-18T18:50:14+00:00","dateModified":"2024-03-18T20:07:25+00:00","mainEntityOfPage":{"@id":"https:\/\/gokhan-gokalp.com\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/"},"wordCount":8095,"commentCount":1,"publisher":{"@id":"https:\/\/gokhan-gokalp.com\/#\/schema\/person\/7e2a7fa98babd22a5fdae563c4b8cdbe"},"image":{"@id":"https:\/\/gokhan-gokalp.com\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/#primaryimage"},"thumbnailUrl":"https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/software-supply-chain-security-contains.jpg","keywords":[".NET","azure pipeline","ci cd","container g\u00fcvenli\u011fi","container registry","container security","deployment","g\u00fcvenlik taramas\u0131","image signing","kubernetes","OPA","Policy","Ratify","SBOM","SDLC","shifting left","software supply chain security","vulnerability","vulnerability scan"],"articleSection":["Azure","CI (Continuous Integration)","Cloud","Containerizing","Microservices"],"inLanguage":"tr","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/gokhan-gokalp.com\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/gokhan-gokalp.com\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/","url":"https:\/\/gokhan-gokalp.com\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/","name":"Containerized Uygulamalar\u0131n Supply Chain'ini G\u00fcvence Alt\u0131na Alarak G\u00fcvenlik Risklerini Azaltma (G\u00fcvenlik Taramas\u0131, SBOM'lar, Artifact'lerin \u0130mzalanmas\u0131 ve Do\u011frulanmas\u0131) - B\u00f6l\u00fcm 1 - G\u00f6khan G\u00f6kalp","isPartOf":{"@id":"https:\/\/gokhan-gokalp.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/gokhan-gokalp.com\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/#primaryimage"},"image":{"@id":"https:\/\/gokhan-gokalp.com\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/#primaryimage"},"thumbnailUrl":"https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/software-supply-chain-security-contains.jpg","datePublished":"2024-03-18T18:50:14+00:00","dateModified":"2024-03-18T20:07:25+00:00","breadcrumb":{"@id":"https:\/\/gokhan-gokalp.com\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/#breadcrumb"},"inLanguage":"tr","potentialAction":[{"@type":"ReadAction","target":["https:\/\/gokhan-gokalp.com\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/"]}]},{"@type":"ImageObject","inLanguage":"tr","@id":"https:\/\/gokhan-gokalp.com\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/#primaryimage","url":"https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/software-supply-chain-security-contains.jpg","contentUrl":"https:\/\/gokhan-gokalp.com\/wp-content\/uploads\/2024\/03\/software-supply-chain-security-contains.jpg","width":1200,"height":675},{"@type":"BreadcrumbList","@id":"https:\/\/gokhan-gokalp.com\/securing-the-supply-chain-of-containerized-applications-to-reduce-security-risks-security-scanning-sboms-signingverifying-artifacts-part-1\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/gokhan-gokalp.com\/"},{"@type":"ListItem","position":2,"name":"Securing the Supply Chain of Containerized Applications to Reduce Security Risks (Security Scanning, SBOMs, Signing&#038;Verifying Artifacts) &#8211; Part 1"}]},{"@type":"WebSite","@id":"https:\/\/gokhan-gokalp.com\/#website","url":"https:\/\/gokhan-gokalp.com\/","name":"G\u00f6khan G\u00f6kalp","description":"C# &amp; Python lover","publisher":{"@id":"https:\/\/gokhan-gokalp.com\/#\/schema\/person\/7e2a7fa98babd22a5fdae563c4b8cdbe"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/gokhan-gokalp.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"tr"},{"@type":["Person","Organization"],"@id":"https:\/\/gokhan-gokalp.com\/#\/schema\/person\/7e2a7fa98babd22a5fdae563c4b8cdbe","name":"G\u00f6khan G\u00f6kalp","pronouns":"he","image":{"@type":"ImageObject","inLanguage":"tr","@id":"https:\/\/gokhan-gokalp.com\/wp-content\/litespeed\/avatar\/e645f66b6264ced10d7b6d8b1f85509b.jpg?ver=1776170659","url":"https:\/\/gokhan-gokalp.com\/wp-content\/litespeed\/avatar\/e645f66b6264ced10d7b6d8b1f85509b.jpg?ver=1776170659","contentUrl":"https:\/\/gokhan-gokalp.com\/wp-content\/litespeed\/avatar\/e645f66b6264ced10d7b6d8b1f85509b.jpg?ver=1776170659","caption":"G\u00f6khan G\u00f6kalp"},"logo":{"@id":"https:\/\/gokhan-gokalp.com\/wp-content\/litespeed\/avatar\/e645f66b6264ced10d7b6d8b1f85509b.jpg?ver=1776170659"},"sameAs":["https:\/\/gokhan-gokalp.com"],"url":"https:\/\/gokhan-gokalp.com\/tr\/author\/gok-gokalp\/"}]}},"_links":{"self":[{"href":"https:\/\/gokhan-gokalp.com\/tr\/wp-json\/wp\/v2\/posts\/4448","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gokhan-gokalp.com\/tr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gokhan-gokalp.com\/tr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gokhan-gokalp.com\/tr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/gokhan-gokalp.com\/tr\/wp-json\/wp\/v2\/comments?post=4448"}],"version-history":[{"count":81,"href":"https:\/\/gokhan-gokalp.com\/tr\/wp-json\/wp\/v2\/posts\/4448\/revisions"}],"predecessor-version":[{"id":4550,"href":"https:\/\/gokhan-gokalp.com\/tr\/wp-json\/wp\/v2\/posts\/4448\/revisions\/4550"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gokhan-gokalp.com\/tr\/wp-json\/wp\/v2\/media\/4547"}],"wp:attachment":[{"href":"https:\/\/gokhan-gokalp.com\/tr\/wp-json\/wp\/v2\/media?parent=4448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gokhan-gokalp.com\/tr\/wp-json\/wp\/v2\/categories?post=4448"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gokhan-gokalp.com\/tr\/wp-json\/wp\/v2\/tags?post=4448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}