vscode extension for container related secure supply chain tools
The VS-code-Docker extension uses the Docker V2 API to facilitate the distribution of images to the Docker engine. The extension interacts with instances of the Docker registry, which is a service to manage information about docker images and enable their distribution. The API is assigned/called in the RegistryApi.ts. The current extension displays the repositories to which the user has access to and the tags within them as a tree view in the Registries category.
How the current extension shows the registries: Located at vscode-docker.
- Accessing Repositories as Tree View: The extension accesses Docker registries using the Docker V2 API. It allows users to view the repositories available to them in a convenient tree view format under the "Registries" group. This tree view presents a hierarchical structure of repositories and their corresponding image tags.
- CLI Commands: The Docker extension offers various commands to manage Docker-related tasks. These commands are available in the extension's source code, commands recognized in the Registries group can be found here. These CLI commands allow users to perform operations such as pull image, delete image, pull repository, and delete registry right from within Visual Studio Code.
Limitations:
- No display of image referrers.
- No support for image signing.
The secondary extension introduces features enhancing user experience by providing image referrer information and enabling image signing. Referrer data is obtained using the ORAS CLI, and image signing leverages the Notation CLI.
- Prerequisites
- Download ORAS Library
- Download Azure CLI
- Download Notation CLI
- Install Docker extension and Docker Desktop
- Add ORAS directory to PATH environment variable.
Right-Click Interaction:
- Users navigate to "Registries" panel in Docker View of VS Code.
- Right-click a tag image to access menu options, including new features.
menu
Once an action is selected the user is logged into the docker cli and the command is then executed.
When right clicking on the tag image select 'Show Referrer' in the menus option. The command oras discover -o tree $IMAGE is then executed and the referrer output tree is put into a text document to be read by the user.
- Navigate to the menu option
Set the Default Signing Key…to see the available keys for signing an image. The user interface appears as this:
- The current default is shown as a description next to the key name. To change the default select an available key and the command
notation key set --default $KEYis executed and the default signing key is updated. - There is also the option to
Add new key from Azure Key Vault. When the user selects this they are taken through a dialog to input the new key name and the name of the AKV that they want to add. There is a setting option to instead input the key ID instead of the AKV name so that if the user wants a certain version of a key instead of the latest they have that option. The setting looks like this:
- Once the user has keys and a default key set up then they can sign an image using the
Sign Imagein the menu option.
- When an image has no referrers the tree only shows the root image. This is confusing to see as a user and needs to be fixed to instead tell the user no referrers were found for this image.
- Reference an image by its digest instead of tag when executing cli commands.
- To implement the features, we replicated the current Docker commands structure for registry items. Following a clear pattern: defining the command seen in the menu, handling the event triggering, and executing the CLI command. Instead of relying on the Docker CLI, the features will leverage the ORAS CLI or the Notation CLI.
- We check that CLI's are downloaded through sending a dummy command. If the command errors we responsed with an error message stating the cli isn't downloaded or set up in the enviorment variables and provide a link to their installation page.
- For authentication the Docker extension's logInToDockerCli function was imported into the feature and we coded a replica of the getDockerCliCredentials function so that the login credentials are passed accordingly.
- It will be implemented as a secondary extension dependant on the VScode Docker extension.
- The secondary extension is available when when the user right clicks on an image.
When a image has no referrers the displayed text doc can be initally confusing to look at.
Users appreciate release notes as you update your extension.
Initial release of ...
Fixed issue #.
Added features X, Y, and Z.