Code supply chain security?

[miunsag]

Hi all,

I have been playing with the devcontainers and I believe they add loads of value to the development activity.

However, while I appreciate the dynamicity of the code injections, I'd like to have a process to control the security of all the code we bring in.

One idea I have in mind, but it might be that I am not seeing the spirit here, is to have devcontainers that point to docker compose which use containers with immutable IDE code file system. The images are built with separate CI pipelines that qualify everything that is packaged in an image. The docker compose file is thus pointing to these qualified images and applies security policies, such as running with read-only root file system.

With this approach, I need to be able to:

1. add the desired VSCode extensions in the Dockerfile, as opposed to adding them in the devcontainer.json
2. explicitly have read_only: true on the container service in docker_compose.yml
3. find out all the local-container wiring to collaborate on configuration or other topics. I don't like to have "magic" happening underneath escaping my awareness.
4. Developers that want different image flavors, e.g. prefer one linter in front of another intervene in the image creation code, which is a separate project. I.e. building devcontainer images is a separate project wrt building whatever the IDE is supposed to build (e.g. a C application)

[eljog]

Thank you for opening this discussion.

From the details provided, I think the devcontainer prebuilds might help address your scenario. Prebuilds allow you to build and publish an image that can be used for creating development containers later on. This should also allow you to keep using devcontainer.json for all customizations including installing vscode extensions.

Read more about prebuilds at https://containers.dev/guide/prebuild