The USA Department of Defense (DoD) maintains a repository of images [https://software.af.mil/dsop/services/] that are accredited for use by DoD customers.
The DoD wants all approved containers to be based on approved & hardened base images as well as for the top software layers to undergo a thorough security scan. Software based on non-compliant base images or with outstanding vulnerabilities that have not been addressed or justified will not be approved for use by DoD customers.
We decided to fully with a process for making SonarQube images available within this repo.
- Adopting DoD-compliant security scanning practices as part of our own release hardening will allow us to detect vulnerabilities in our own & dependent software that we were otherwise only learning of reactively.
- Software that’s gone through the approval process will not require customers to complete STIGs in order to run the software. STIG requests from US Government customers represent a not-insignificant volume of Community threads and commercial support tickets.
- The official repo for DoD-approved images is here: https://ironbank.dsop.io/
- There is a publicly-available GitLab instance used to store the source for images at https://dccscr.dsop.io/dsop
- A SonarQube project area already exists. This was formerly maintained by contractors working for the DoD but should be taken over by SonarSource: https://dccscr.dsop.io/dsop/sonarsource/sonarqube
- A repository of documents describing the overall DoD approach to DevSecOps and containerization is here: https://software.af.mil/dsop/documents/
- The onboarding guide for vendors looking to become Iron Bank contributors is here: https://repo1.dsop.io/dsop/dccscr/-/blob/master/contributor-onboarding/README.md
We want to provide and support official images for all the SonarQube editions we already offer on DockerHub: SonarQube CE, DE, EE