I saw Binary Authorization only enable trusted container to be deployed on GCP
Great but what are the settings which let be Trusted or Not ?
I mean, can we say i don't authorize specific imported library, or i'm looking for specific files/things inside a container ?
Thanks
The Binary Authorization doesn't check the content of your container, it "only" checks the hosting source of the containers.
If it belongs to the authorized list, you can use it, else, you can't.
In addition, you can add attestors that check, in addition of the hosting location, the signature of the container to be sure that the correct process has generated it (and it's not a manual push). You can add this step in your Cloud Build pipeline for example
Of course, you need to restrict the access to the source of truth (signing key and hosting location) to only automatic process to prevent any manual actions (and risk of tempered images).
You maybe mix this feature with the container vulnerability scanner. But in any cases, you can't customized this scanner to prevent the use of specific libraries