实现示例type Service = { name: string; image: string; digest?: string } const allowRegistries = new Set<string>(['docker.io','ghcr.io','registry.example.com']) function hasDigest(s: Service): boolean { return !!s.digest && /^[A-Fa-f0-9]{64}$/.test(s.digest) } function validImage(s: Service): boolean { const m = /^(\w[\w.-]+)\/(\w[\w.-]+):([\w.-]+)$/.exec(s.image); return !!m } function registryAllowed(s: Service): boolean { try { const parts = s.image.split('/'); const host = parts[0]; return allowRegistries.has(host) } catch { return false } } function evaluate(list: Service[]): { ok: boolean; errors: string[] } { const errors: string[] = [] for (const s of list) { if (!s.name || !validImage(s) || !registryAllowed(s)) errors.push(`image:${s.name}`) if (!hasDigest(s)) errors.push(`digest:${s.name}`) } return { ok: errors.length === 0, errors } } 审计与运行治理审计服务镜像域与 `digest` 固定;异常阻断并输出修复建议。部署变更需审批与归档。
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复