ratify
ratify copied to clipboard
ratify-project
feat: JSON Schema Validator schema File/URL
This is an issue to track feature updates to the this verifier once decisions have been made on how it obtains schema to validate against.
Currently there are two ways for the plugin to access schema files:
- Download via a URL
- Load in via canonical file path
Some of the concerns are:
- Pulling schemas from a URL might be the cause of some Timeout issues.
- They are being pulled too often (on every validation).
- Is allowing files to be pulled from the web is a good idea??
Downloading via URL:
- Concerns this might now not be allowed in some environments.
- It's downloading the schema file every time it's needed which is not ideal.
Loading from local file:
- It's difficult to get the schemas files local to Ratify, similar problem as loading of custom plugins (before OCI plugins was a thing).
- Requires updating of Dockerfile, volume mounts, and or hacking up the chart/Helm install to include schemas.
A few ideas for new approaches are outlined below.
Allow plugins to pull schemas on registration:
- Add a "get metadata" action on the verifier/store plugin interface
- Wire that up to the skeletons
- When we register a plugin, invoke the executable with that call
- In most existing plugins: implement as a no-op
- In the schema validator, read in the input config and preload all the schemas to disk
- Read the response, handle accordingly in ratify (ex: fail on version mismatch)
Leverage OCI artifacts idea:
- Maybe package schemas with schema validator plugin?
- Store schemas in registry and pull as needed (probably using approach above leveraging a 'get metadata' call)?
Ship with schemas:
- Ship Ratify with required schemas the validator can use (update dockerfile)
- Users can configure which shipped schemas they attach the plugin to
