fix(security): verify internal runtime mirror digests

This commit is contained in:
ogt
2026-07-14 16:54:28 +08:00
parent fd35fab9dc
commit 52b870824f
2 changed files with 20 additions and 1 deletions

View File

@@ -299,7 +299,13 @@ def _target_digest_ref(image: ImagePolicy) -> str:
def _target_digest_present(image: ImagePolicy) -> bool:
try:
completed = subprocess.run(
["docker", "manifest", "inspect", _target_digest_ref(image)],
[
"docker",
"manifest",
"inspect",
"--insecure",
_target_digest_ref(image),
],
check=False,
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL,

View File

@@ -8,6 +8,7 @@ import tempfile
import unittest
from io import BytesIO
from pathlib import Path
from unittest.mock import patch
ROOT = Path(__file__).resolve().parents[3]
@@ -102,6 +103,18 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase):
)
)
def test_target_digest_verifier_uses_internal_registry_transport(self) -> None:
image = controller.load_policy(POLICY_PATH).images[0]
with patch.object(controller.subprocess, "run") as run:
run.return_value.returncode = 0
self.assertTrue(controller._target_digest_present(image))
command = run.call_args.args[0]
self.assertEqual(command[:3], ["docker", "manifest", "inspect"])
self.assertIn("--insecure", command)
self.assertEqual(command[-1], controller._target_digest_ref(image))
def test_source_manifests_match_internal_policy(self) -> None:
policy = controller.load_policy(POLICY_PATH)
by_asset = {image.asset_id: image for image in policy.images}