I have enabled automatic vulnerability scanning for my images in Google's Container Registry and was thinking now to use Binary Authorization to let my Cloud Run services only be deployed for images that pass a policy.
I read through the documentation https://cloud.google.com/binary-authorization/docs/creating-attestations-kritis and so I need to create an attestor, use this kritis signer to sign an image and create attestations based on my policy and only then the Cloud Run service would be deployed.
I'm wondering if all of this is really necessary in my case.
In my Github Actions CI/CD pipelines I could use the gcloud command gcloud beta container images describe HOSTNAME/PROJECT_ID/IMAGE_ID@sha256:HASH --show-package-vulnerability to view the vulnerabilities for a newly uploaded and scanned image and have my Pipeline fail if I find any vulnerabilities for a certain severity (e.g. critical) or even ignore certain CVEs before the Cloud Run service deployment with the new image. So I could basically achieve the same as the options available in the policy here https://github.com/grafeas/kritis/blob/HEAD/samples/signer/policy.yaml used by the kritis signer.
A gcloud command seems a lot simpler than implementing this whole process of using the kritis signer tool, creating attestations etc.
So are there any advantages or security reasons why I should use Binary authorization and follow that process instead of using the gcloud filter check in my CI/CD pipelines?
Thank you in advance for any help.
There is 2 different layers:
Imagine the case:
Even if you check YOUR container in YOUR registry, you doesn't protect Cloud Run against a deployment from another registry.
So, all your efforts are useless!