From 859510807d7423017bb18523436f7366795dacfb Mon Sep 17 00:00:00 2001 From: Brandon Mitchell Date: Thu, 4 Sep 2025 14:36:48 -0400 Subject: [PATCH] Add a security annotation Signed-off-by: Brandon Mitchell --- annotations.md | 5 ++++- specs-go/v1/annotations.go | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/annotations.md b/annotations.md index 96f5abfd8..012442762 100644 --- a/annotations.md +++ b/annotations.md @@ -53,6 +53,7 @@ This specification defines the following annotation keys, intended for but not l - This SHOULD be the immediate image sharing zero-indexed layers with the image, such as from a Dockerfile `FROM` statement. - This SHOULD NOT reference any other images used to generate the contents of the image (e.g., multi-stage Dockerfile builds). - If the `image.base.name` annotation is specified, the `image.base.digest` annotation SHOULD be the digest of the manifest referenced by the `image.ref.name` annotation. +- **org.opencontainers.image.security** URL to get the image security policy (for a possible format, see [RFC 9116][rfc9116]). (string) ## Back-compatibility with Label Schema @@ -74,10 +75,12 @@ While users are encouraged to use the **org.opencontainers.image** keys, tools M | `authors` | | No equivalent in Label Schema | | `licenses` | | No equivalent in Label Schema | | `ref.name` | | No equivalent in Label Schema | +| `security` | | No equivalent in Label Schema | | | `schema-version`| No equivalent in the OCI Image Spec | | | `docker.*`, `rkt.*` | No equivalent in the OCI Image Spec | [distribution-reference]: https://github.com/distribution/distribution/blob/d0deff9cd6c2b8c82c6f3d1c713af51df099d07b/reference/reference.go [label-schema]: https://github.com/label-schema/label-schema.org/blob/gh-pages/rc1.md -[rfc3339]: https://tools.ietf.org/html/rfc3339#section-5.6 +[rfc3339]: https://datatracker.ietf.org/doc/html/rfc3339#section-5.6 +[rfc9116]: https://datatracker.ietf.org/doc/html/rfc9116 [spdx-license-expression]: https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/ diff --git a/specs-go/v1/annotations.go b/specs-go/v1/annotations.go index 581cf7cdf..b91783f20 100644 --- a/specs-go/v1/annotations.go +++ b/specs-go/v1/annotations.go @@ -59,4 +59,7 @@ const ( // AnnotationBaseImageName is the annotation key for the image reference of the image's base image. AnnotationBaseImageName = "org.opencontainers.image.base.name" + + // AnnotationSecurity is the annotation key for the URL to get the security policy on the image. + AnnotationSecurity = "org.opencontainers.image.security" )