Adding OCI Tags to Docker Images

This page explains Arnica's automated workflow that adds Open Container Initiative (OCI) Tags to Docker images. The workflow is designed to map container images to their corresponding source code in your Git repository, ensuring seamless traceability, improved security, and consistent image annotation across your codebase.

Why it matters

  1. Traceability By linking Docker images directly to their source code, your teams can easily trace and audit where the source code is deployed.

  2. Streamlined Security Management Reducing security noise by deduplicating vulnerability findings helps prioritize real risks. This focused approach leads to better-informed security decisions and faster remediation of issues, while also reducing unneccesary works for developers.

Organizations are shifting to a shared "golden image" model for enhanced consistency and security. If your organization adopts this approach, OCI tagging can help identify where vulnerabilities occur, enabling Arnica to direct findings to the team responsible for the "golden image", when applicable.

Understanding the code changes

Arnica automatically maps between Dockerfiles in Git repositories and Docker images by utilizing statistical anlysis. However, certain Dockerfiles need more context to successfully map them to the Docker images, and this is where you see Arnica's commit added to the HEAD of the source branch in every Pull Request in the repository until it is merged at least once to your important branch (default branch in most cases).

Below are the changes in the commit:

  1. A block scoped with a start and end location.

  2. LABEL org.opencontainers.image.source - the link to the Git repository.

  3. LABEL org.opencontainers.image.path- the link to the Dockerfile in the Git repository. Reason is that multiple Dockerfiles can exist in the same Git repository.

  4. Optional: a custom message provided by the Arnica operators with further instructions.

FAQ

Q: Why this repository and not others? A: Your organization's Arnica operators opted this Git repository into this feature (it is off by default).

Q: Will this break my pipeline? A: No. LABELS are safe to add, and even encouraged by the OCI specification. For more information see OCI Annotations.

Q: Will this break my Docker cache? A: We are adding these labels last to avoid affecting cached layers.

Q: I didn't touch any Dockerfiles, why are you adding these labels? A: Any change to any file may trigger an image build and deployment once this Pull Request is merged. To ensure all images are properly linked to the correct source code, Arnica will add these labels to all Dockerfiles that don't have them yet.

Q: I'm a frontend developer who is simply changing an icon, why am I seeing this? A: You are simply the lucky first to open a Pull Request after the policy was enabled for this repository!

Q: We already have our images annotated during the build process in our CI/CD pipeline, why here? A: At this point, Arnica does not automatically identify these labels added during image build. Note that there is no harm in adding these labels via the Dockerfile; however, if you have a concern, see below for how to opt out.

Q: I don't like this. How do I stop this? A: There are three ways to opt out:

  1. Contact your Arnica operators and request removal of your Git repository from the policy.

  2. Add a comment with #arnica-ignore to the file to opt it out going forward. (Note that your orgainzation may have a customized ignore pattern, check with your security team for details)

Q: Ok, I read your FAQ, read your docs, talked to my Arnica operators, but I still have a question. A: We are here to help! In urgent matters or for any questions, please contact [email protected].

Last updated

Was this helpful?