|
|
|
|
|
|
by sandstrom
715 days ago
|
|
|
I see it in the readme now, interesting! A question out of curiosity: Would you say that this is still a good fit for company-internal docker images? I.e. a packaged rails app that's deployed in production using docker (to basically verify that we only deploy images built in CI [Github Actions]) Or would something more lightweight, like the Notary project[1], be a better fit for internal use? (I know signing and provenance are different things, though for internal purposes, we can kind of infer provenance from just seeing a signed container, assuming we've locked down the build environment properly) [1] https://notaryproject.dev/docs/quickstart-guides/quickstart-... |
|
|