Files
awoooi/docs/security/PACKAGE-SUPPLY-CHAIN-OWNER-POLICY-GATE.md

5.6 KiB
Raw Permalink Blame History

Package / Docker 供應鏈 Owner Policy Gate

項目 內容
日期 2026-06-15
狀態 draft_waiting_owner_policy_response
腳本 scripts/security/package-supply-chain-owner-policy-guard.py
Snapshot docs/security/package-supply-chain-owner-policy-gate.snapshot.json
Baseline docs/security/package-supply-chain-baseline.snapshot.json
模式 repo snapshot policy gate不 install、不 upgrade、不 pull image、不 build image、不 push image
runtime gate 0

1. 目的

此 owner policy gate 把 Package / Docker 供應鏈 baseline 的五個缺口轉成六個 owner policy request 草稿,讓後續處理 Python lockfile、requirements pinning、Docker digest pinning、compose image digest、CVE / license / SBOM 時,都必須先有 owner role / team、policy decision、maintenance window、rollback owner 與 redacted evidence refs。

本 gate 是只讀治理物件不是套件安裝、升級、pinning、CVE 掃描、SBOM 產生、image pull / build / push、registry login、workflow 修改、production deploy 或 runtime gate。

2. Owner Policy Request

Request ID 分級 對應缺口 目前狀態
supply_chain_owner_policy:package_manager_lockfile_owner C1 Node / pnpm lockfile owner 與更新窗口 waiting owner policy response
supply_chain_owner_policy:python_lockfile_policy C1 python_lockfile_absent waiting owner policy response
supply_chain_owner_policy:requirements_pin_policy C1 requirements_unpinned_entries_present waiting owner policy response
supply_chain_owner_policy:dockerfile_digest_pin_policy C0 docker_base_images_not_all_digest_pinneddocker_copy_from_images_not_all_digest_pinned waiting owner policy response
supply_chain_owner_policy:compose_image_digest_pin_policy C0 compose_images_not_all_digest_pinned waiting owner policy response
supply_chain_owner_policy:cve_license_sbom_window C1 CVE / license / SBOM tool 與執行窗口未定 waiting owner policy response

3. Required Owner Fields

  1. package_manager_policy
  2. lockfile_owner
  3. python_lock_policy
  4. docker_base_image_policy
  5. compose_image_policy
  6. registry_owner
  7. cve_scan_window
  8. rollback_owner

4. Reviewer Checks

  1. owner role / team 必須可追溯,不能只填個人暱稱或未脫敏 repo namespace。
  2. policy decision 必須明確區分 observe、plan、approve change、reject change。
  3. Python lockfile 決策必須說明工具、產生位置與相容性驗證方式。
  4. requirements pinning 決策必須說明 pinning 原則、例外條件與 rollback owner。
  5. Docker digest pinning 決策必須說明 base image、COPY --from image、registry owner 與回復策略。
  6. compose image digest 決策必須說明 service 範圍、tag / digest 對照與維護窗口。
  7. CVE / license / SBOM 決策必須說明工具、掃描窗口、結果分級與噪音處理方式。
  8. evidence refs 只能是脫敏 metadata不得包含 token、cookie、registry password、private key 或 secret value。
  9. change evidence 必須能回連到 baseline gap不得只提供口頭批准。
  10. runtime gate 必須獨立批准owner policy accepted 不能自動變成 runtime execution authorized。
  11. deploy / workflow / registry / image write 必須另有變更證據與 post-check。
  12. 前台呈現只能顯示脫敏產品 / 控管狀態,不得顯示 raw namespace、內部協作內容或工作視窗對話。

5. Blocked Actions

本 gate 通過前,以下動作全部維持 blocked

  1. install package
  2. upgrade package
  3. rewrite lockfile
  4. change requirements pin
  5. run external CVE lookup
  6. run external license lookup
  7. generate SBOM
  8. docker pull
  9. docker build
  10. docker push
  11. image tag change
  12. image digest pin change
  13. registry login
  14. workflow modification
  15. runner change
  16. secret value collection
  17. production deploy
  18. runtime execution
  19. action button enablement
  20. treat owner policy as runtime approval

6. 不可誤讀

  • package-supply-chain-baseline.snapshot.json 只是 repo-only baseline。
  • package-supply-chain-owner-policy-gate.snapshot.json 只是 owner policy gate 草稿。
  • 所有 request_sent、owner_response_received、owner_response_accepted、runtime_execution_authorized、action_buttons_allowed 仍是 0 / false
  • owner policy gate 通過只代表文件、snapshot 與 guard 對齊,不代表 Python lockfile、requirements pinning、Docker digest pinning、CVE / license / SBOM 已完成。
  • 本輪不 install、不 upgrade、不 pull image、不 build image、不 push image不登入 registry、不改 workflow、不改 secret、不部署。

7. 完成度

工作 完成度 說明
Package / Docker supply-chain owner policy gate 100% 已新增人讀文件、snapshot 與 guard並可由總進度 guard 串接
Node lockfile owner policy 45% 已有 pnpm lockfile 與 owner policy request尚未收到 owner response
Python lock policy 45% 已有 Python lockfile 缺口與 owner policy request尚未決定工具與 lockfile 策略
requirements pinning policy 35% 已有 26 條未 pin entry 的 policy request尚未批准 pinning 或相容性窗口
Docker / compose image policy 45% 已有 C0 digest pinning policy request尚未批准 digest 變更、registry owner 或 rollback
CVE / license / SBOM 驗證 15% 已定義 owner policy request尚未批准外部掃描窗口或工具
runtime gate 0% 未開啟任何執行期閘門