388 lines
9.9 KiB
JSON
388 lines
9.9 KiB
JSON
{
|
|
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
"$id": "urn:awoooi:docker-build-surface-inventory-v1",
|
|
"title": "AWOOOI Docker build surface 盤點 v1",
|
|
"description": "由 repo 內 Dockerfile 產生的只讀 Docker base image 與 build surface 盤點。此 schema 不授權 docker build、image pull、registry push、外部 CVE 查詢、套件安裝或生產路由變更。",
|
|
"type": "object",
|
|
"required": [
|
|
"schema_version",
|
|
"generated_at",
|
|
"program_status",
|
|
"source_refs",
|
|
"rollups",
|
|
"surfaces",
|
|
"risk_findings",
|
|
"operation_boundaries",
|
|
"approval_boundaries"
|
|
],
|
|
"properties": {
|
|
"schema_version": {
|
|
"type": "string",
|
|
"const": "docker_build_surface_inventory_v1"
|
|
},
|
|
"generated_at": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"program_status": {
|
|
"type": "object",
|
|
"required": ["overall_completion_percent", "current_priority", "current_task_id", "next_task_id", "read_only_mode"],
|
|
"properties": {
|
|
"overall_completion_percent": {
|
|
"type": "integer",
|
|
"minimum": 0,
|
|
"maximum": 100
|
|
},
|
|
"current_priority": {
|
|
"type": "string",
|
|
"enum": ["P0", "P1", "P2", "P3"]
|
|
},
|
|
"current_task_id": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"next_task_id": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"read_only_mode": {
|
|
"type": "boolean",
|
|
"const": true
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"source_refs": {
|
|
"type": "array",
|
|
"minItems": 1,
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"rollups": {
|
|
"type": "object",
|
|
"required": [
|
|
"total_surfaces",
|
|
"dockerfile_count",
|
|
"external_image_ref_count",
|
|
"from_instruction_count",
|
|
"copy_from_external_image_count",
|
|
"digest_pinned_image_count",
|
|
"tag_pinned_image_count",
|
|
"build_time_network_fetch_count",
|
|
"non_root_runtime_count",
|
|
"healthcheck_count",
|
|
"by_status",
|
|
"action_required_surface_ids",
|
|
"planned_next_surface_ids"
|
|
],
|
|
"properties": {
|
|
"total_surfaces": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"dockerfile_count": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"external_image_ref_count": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"from_instruction_count": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"copy_from_external_image_count": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"digest_pinned_image_count": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"tag_pinned_image_count": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"build_time_network_fetch_count": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"non_root_runtime_count": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"healthcheck_count": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"by_status": {
|
|
"type": "object",
|
|
"additionalProperties": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
}
|
|
},
|
|
"action_required_surface_ids": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"planned_next_surface_ids": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"surfaces": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "object",
|
|
"required": [
|
|
"surface_id",
|
|
"display_name",
|
|
"dockerfile_ref",
|
|
"status",
|
|
"risk_level",
|
|
"stage_count",
|
|
"external_image_refs",
|
|
"digest_pinned_image_refs",
|
|
"tag_pinned_image_refs",
|
|
"build_time_network_fetches",
|
|
"binary_sources",
|
|
"non_root_runtime",
|
|
"healthcheck_present",
|
|
"cache_controls",
|
|
"gate_status",
|
|
"evidence_refs",
|
|
"next_action"
|
|
],
|
|
"properties": {
|
|
"surface_id": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"display_name": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"dockerfile_ref": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"status": {
|
|
"type": "string",
|
|
"enum": ["ready", "action_required", "planned_next", "blocked", "deferred"]
|
|
},
|
|
"risk_level": {
|
|
"type": "string",
|
|
"enum": ["low", "medium", "high", "critical"]
|
|
},
|
|
"stage_count": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"external_image_refs": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"digest_pinned_image_refs": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"tag_pinned_image_refs": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"build_time_network_fetches": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"binary_sources": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"non_root_runtime": {
|
|
"type": "boolean"
|
|
},
|
|
"healthcheck_present": {
|
|
"type": "boolean"
|
|
},
|
|
"cache_controls": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"gate_status": {
|
|
"type": "string",
|
|
"enum": [
|
|
"read_only_allowed",
|
|
"image_rebuild_blocked",
|
|
"external_cve_lookup_blocked",
|
|
"registry_push_blocked"
|
|
]
|
|
},
|
|
"evidence_refs": {
|
|
"type": "array",
|
|
"minItems": 1,
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"next_action": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
}
|
|
},
|
|
"risk_findings": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "object",
|
|
"required": ["finding_id", "severity", "status", "summary", "evidence_refs", "next_action"],
|
|
"properties": {
|
|
"finding_id": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"severity": {
|
|
"type": "string",
|
|
"enum": ["low", "medium", "high", "critical"]
|
|
},
|
|
"status": {
|
|
"type": "string",
|
|
"enum": ["action_required", "planned_next", "blocked", "accepted"]
|
|
},
|
|
"summary": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"evidence_refs": {
|
|
"type": "array",
|
|
"minItems": 1,
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"next_action": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
}
|
|
},
|
|
"operation_boundaries": {
|
|
"type": "object",
|
|
"required": [
|
|
"read_only_api_allowed",
|
|
"docker_build_allowed",
|
|
"image_pull_allowed",
|
|
"image_rebuild_allowed",
|
|
"registry_push_allowed",
|
|
"external_cve_lookup_allowed",
|
|
"package_installation_allowed",
|
|
"production_routing_allowed"
|
|
],
|
|
"properties": {
|
|
"read_only_api_allowed": {
|
|
"type": "boolean",
|
|
"const": true
|
|
},
|
|
"docker_build_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"image_pull_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"image_rebuild_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"registry_push_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"external_cve_lookup_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"package_installation_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"production_routing_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"approval_boundaries": {
|
|
"type": "object",
|
|
"required": [
|
|
"sdk_installation_allowed",
|
|
"paid_api_call_allowed",
|
|
"shadow_or_canary_allowed",
|
|
"production_routing_allowed",
|
|
"destructive_operation_allowed"
|
|
],
|
|
"properties": {
|
|
"sdk_installation_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"paid_api_call_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"shadow_or_canary_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"production_routing_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
},
|
|
"destructive_operation_allowed": {
|
|
"type": "boolean",
|
|
"const": false
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
}
|