5.6 KiB
5.6 KiB
Package / Docker 供應鏈 Owner Policy Gate
| 項目 | 內容 |
|---|---|
| 日期 | 2026-06-15 |
| 狀態 | draft_waiting_owner_policy_response |
| 腳本 | scripts/security/package-supply-chain-owner-policy-guard.py |
| Snapshot | docs/security/package-supply-chain-owner-policy-gate.snapshot.json |
| Baseline | docs/security/package-supply-chain-baseline.snapshot.json |
| 模式 | repo snapshot policy gate,不 install、不 upgrade、不 pull image、不 build image、不 push image |
| runtime gate | 0 |
1. 目的
此 owner policy gate 把 Package / Docker 供應鏈 baseline 的五個缺口轉成六個 owner policy request 草稿,讓後續處理 Python lockfile、requirements pinning、Docker digest pinning、compose image digest、CVE / license / SBOM 時,都必須先有 owner role / team、policy decision、maintenance window、rollback owner 與 redacted evidence refs。
本 gate 是只讀治理物件,不是套件安裝、升級、pinning、CVE 掃描、SBOM 產生、image pull / build / push、registry login、workflow 修改、production deploy 或 runtime gate。
2. Owner Policy Request
| Request ID | 分級 | 對應缺口 | 目前狀態 |
|---|---|---|---|
supply_chain_owner_policy:package_manager_lockfile_owner |
C1 | Node / pnpm lockfile owner 與更新窗口 | waiting owner policy response |
supply_chain_owner_policy:python_lockfile_policy |
C1 | python_lockfile_absent |
waiting owner policy response |
supply_chain_owner_policy:requirements_pin_policy |
C1 | requirements_unpinned_entries_present |
waiting owner policy response |
supply_chain_owner_policy:dockerfile_digest_pin_policy |
C0 | docker_base_images_not_all_digest_pinned、docker_copy_from_images_not_all_digest_pinned |
waiting owner policy response |
supply_chain_owner_policy:compose_image_digest_pin_policy |
C0 | compose_images_not_all_digest_pinned |
waiting owner policy response |
supply_chain_owner_policy:cve_license_sbom_window |
C1 | CVE / license / SBOM tool 與執行窗口未定 | waiting owner policy response |
3. Required Owner Fields
package_manager_policylockfile_ownerpython_lock_policydocker_base_image_policycompose_image_policyregistry_ownercve_scan_windowrollback_owner
4. Reviewer Checks
- owner role / team 必須可追溯,不能只填個人暱稱或未脫敏 repo namespace。
- policy decision 必須明確區分 observe、plan、approve change、reject change。
- Python lockfile 決策必須說明工具、產生位置與相容性驗證方式。
- requirements pinning 決策必須說明 pinning 原則、例外條件與 rollback owner。
- Docker digest pinning 決策必須說明 base image、
COPY --fromimage、registry owner 與回復策略。 - compose image digest 決策必須說明 service 範圍、tag / digest 對照與維護窗口。
- CVE / license / SBOM 決策必須說明工具、掃描窗口、結果分級與噪音處理方式。
- evidence refs 只能是脫敏 metadata,不得包含 token、cookie、registry password、private key 或 secret value。
- change evidence 必須能回連到 baseline gap,不得只提供口頭批准。
- runtime gate 必須獨立批准;owner policy accepted 不能自動變成 runtime execution authorized。
- deploy / workflow / registry / image write 必須另有變更證據與 post-check。
- 前台呈現只能顯示脫敏產品 / 控管狀態,不得顯示 raw namespace、內部協作內容或工作視窗對話。
5. Blocked Actions
本 gate 通過前,以下動作全部維持 blocked:
- install package
- upgrade package
- rewrite lockfile
- change requirements pin
- run external CVE lookup
- run external license lookup
- generate SBOM
- docker pull
- docker build
- docker push
- image tag change
- image digest pin change
- registry login
- workflow modification
- runner change
- secret value collection
- production deploy
- runtime execution
- action button enablement
- treat owner policy as runtime approval
6. 不可誤讀
package-supply-chain-baseline.snapshot.json只是 repo-only baseline。package-supply-chain-owner-policy-gate.snapshot.json只是 owner policy gate 草稿。- 所有 request_sent、owner_response_received、owner_response_accepted、runtime_execution_authorized、action_buttons_allowed 仍是
0 / false。 owner policy gate通過只代表文件、snapshot 與 guard 對齊,不代表 Python lockfile、requirements pinning、Docker digest pinning、CVE / license / SBOM 已完成。- 本輪不 install、不 upgrade、不 pull image、不 build image、不 push image,不登入 registry、不改 workflow、不改 secret、不部署。
7. 完成度
| 工作 | 完成度 | 說明 |
|---|---|---|
| Package / Docker supply-chain owner policy gate | 100% |
已新增人讀文件、snapshot 與 guard,並可由總進度 guard 串接 |
| Node lockfile owner policy | 45% |
已有 pnpm lockfile 與 owner policy request;尚未收到 owner response |
| Python lock policy | 45% |
已有 Python lockfile 缺口與 owner policy request;尚未決定工具與 lockfile 策略 |
| requirements pinning policy | 35% |
已有 26 條未 pin entry 的 policy request;尚未批准 pinning 或相容性窗口 |
| Docker / compose image policy | 45% |
已有 C0 digest pinning policy request;尚未批准 digest 變更、registry owner 或 rollback |
| CVE / license / SBOM 驗證 | 15% |
已定義 owner policy request;尚未批准外部掃描窗口或工具 |
| runtime gate | 0% |
未開啟任何執行期閘門 |