100 lines
5.6 KiB
Markdown
100 lines
5.6 KiB
Markdown
# Package / Docker 供應鏈 Owner Policy Gate
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-06-15 |
|
||
| 狀態 | `draft_waiting_owner_policy_response` |
|
||
| 腳本 | `scripts/security/package-supply-chain-owner-policy-guard.py` |
|
||
| Snapshot | `docs/security/package-supply-chain-owner-policy-gate.snapshot.json` |
|
||
| Baseline | `docs/security/package-supply-chain-baseline.snapshot.json` |
|
||
| 模式 | repo snapshot policy gate,不 install、不 upgrade、不 pull image、不 build image、不 push image |
|
||
| runtime gate | `0` |
|
||
|
||
## 1. 目的
|
||
|
||
此 owner policy gate 把 Package / Docker 供應鏈 baseline 的五個缺口轉成六個 owner policy request 草稿,讓後續處理 Python lockfile、requirements pinning、Docker digest pinning、compose image digest、CVE / license / SBOM 時,都必須先有 owner role / team、policy decision、maintenance window、rollback owner 與 redacted evidence refs。
|
||
|
||
本 gate 是只讀治理物件,不是套件安裝、升級、pinning、CVE 掃描、SBOM 產生、image pull / build / push、registry login、workflow 修改、production deploy 或 runtime gate。
|
||
|
||
## 2. Owner Policy Request
|
||
|
||
| Request ID | 分級 | 對應缺口 | 目前狀態 |
|
||
|------------|------|----------|----------|
|
||
| `supply_chain_owner_policy:package_manager_lockfile_owner` | C1 | Node / pnpm lockfile owner 與更新窗口 | waiting owner policy response |
|
||
| `supply_chain_owner_policy:python_lockfile_policy` | C1 | `python_lockfile_absent` | waiting owner policy response |
|
||
| `supply_chain_owner_policy:requirements_pin_policy` | C1 | `requirements_unpinned_entries_present` | waiting owner policy response |
|
||
| `supply_chain_owner_policy:dockerfile_digest_pin_policy` | C0 | `docker_base_images_not_all_digest_pinned`、`docker_copy_from_images_not_all_digest_pinned` | waiting owner policy response |
|
||
| `supply_chain_owner_policy:compose_image_digest_pin_policy` | C0 | `compose_images_not_all_digest_pinned` | waiting owner policy response |
|
||
| `supply_chain_owner_policy:cve_license_sbom_window` | C1 | CVE / license / SBOM tool 與執行窗口未定 | waiting owner policy response |
|
||
|
||
## 3. Required Owner Fields
|
||
|
||
1. `package_manager_policy`
|
||
2. `lockfile_owner`
|
||
3. `python_lock_policy`
|
||
4. `docker_base_image_policy`
|
||
5. `compose_image_policy`
|
||
6. `registry_owner`
|
||
7. `cve_scan_window`
|
||
8. `rollback_owner`
|
||
|
||
## 4. Reviewer Checks
|
||
|
||
1. owner role / team 必須可追溯,不能只填個人暱稱或未脫敏 repo namespace。
|
||
2. policy decision 必須明確區分 observe、plan、approve change、reject change。
|
||
3. Python lockfile 決策必須說明工具、產生位置與相容性驗證方式。
|
||
4. requirements pinning 決策必須說明 pinning 原則、例外條件與 rollback owner。
|
||
5. Docker digest pinning 決策必須說明 base image、`COPY --from` image、registry owner 與回復策略。
|
||
6. compose image digest 決策必須說明 service 範圍、tag / digest 對照與維護窗口。
|
||
7. CVE / license / SBOM 決策必須說明工具、掃描窗口、結果分級與噪音處理方式。
|
||
8. evidence refs 只能是脫敏 metadata,不得包含 token、cookie、registry password、private key 或 secret value。
|
||
9. change evidence 必須能回連到 baseline gap,不得只提供口頭批准。
|
||
10. runtime gate 必須獨立批准;owner policy accepted 不能自動變成 runtime execution authorized。
|
||
11. deploy / workflow / registry / image write 必須另有變更證據與 post-check。
|
||
12. 前台呈現只能顯示脫敏產品 / 控管狀態,不得顯示 raw namespace、內部協作內容或工作視窗對話。
|
||
|
||
## 5. Blocked Actions
|
||
|
||
本 gate 通過前,以下動作全部維持 blocked:
|
||
|
||
1. install package
|
||
2. upgrade package
|
||
3. rewrite lockfile
|
||
4. change requirements pin
|
||
5. run external CVE lookup
|
||
6. run external license lookup
|
||
7. generate SBOM
|
||
8. docker pull
|
||
9. docker build
|
||
10. docker push
|
||
11. image tag change
|
||
12. image digest pin change
|
||
13. registry login
|
||
14. workflow modification
|
||
15. runner change
|
||
16. secret value collection
|
||
17. production deploy
|
||
18. runtime execution
|
||
19. action button enablement
|
||
20. treat owner policy as runtime approval
|
||
|
||
## 6. 不可誤讀
|
||
|
||
- `package-supply-chain-baseline.snapshot.json` 只是 repo-only baseline。
|
||
- `package-supply-chain-owner-policy-gate.snapshot.json` 只是 owner policy gate 草稿。
|
||
- 所有 request_sent、owner_response_received、owner_response_accepted、runtime_execution_authorized、action_buttons_allowed 仍是 `0 / false`。
|
||
- `owner policy gate` 通過只代表文件、snapshot 與 guard 對齊,不代表 Python lockfile、requirements pinning、Docker digest pinning、CVE / license / SBOM 已完成。
|
||
- 本輪不 install、不 upgrade、不 pull image、不 build image、不 push image,不登入 registry、不改 workflow、不改 secret、不部署。
|
||
|
||
## 7. 完成度
|
||
|
||
| 工作 | 完成度 | 說明 |
|
||
|------|--------|------|
|
||
| Package / Docker supply-chain owner policy gate | `100%` | 已新增人讀文件、snapshot 與 guard,並可由總進度 guard 串接 |
|
||
| Node lockfile owner policy | `45%` | 已有 pnpm lockfile 與 owner policy request;尚未收到 owner response |
|
||
| Python lock policy | `45%` | 已有 Python lockfile 缺口與 owner policy request;尚未決定工具與 lockfile 策略 |
|
||
| requirements pinning policy | `35%` | 已有 26 條未 pin entry 的 policy request;尚未批准 pinning 或相容性窗口 |
|
||
| Docker / compose image policy | `45%` | 已有 C0 digest pinning policy request;尚未批准 digest 變更、registry owner 或 rollback |
|
||
| CVE / license / SBOM 驗證 | `15%` | 已定義 owner policy request;尚未批准外部掃描窗口或工具 |
|
||
| runtime gate | `0%` | 未開啟任何執行期閘門 |
|