Skip to content

Complete: Phase 1 - Missing Core Infrastructure Components #121

New issue
New issue
Open
Open
Complete: Phase 1 - Missing Core Infrastructure Components#121
Labels
devTriggers Simple Forge's Software Developer role to start working on the issue
@simple-container-forge

Description

@simple-container-forge
simple-container-forge
bot
opened on Feb 6, 2026

Implementation Request

Parent Issue: #105
Base Branch: architect/issue-105-container-security

Description

Complete Phase 1 by implementing the missing 8 critical files: cache layer, comprehensive config model, tool management (installer, version checker, registry), API-level security config types, and integration with pkg/api/client.go. This establishes the foundation required for all subsequent phases.

Technical Notes

Implement missing Phase 1 files identified in IMPLEMENTATION_STATUS.md. Cache: stores scan results (6h TTL) and SBOMs (24h TTL) in ~/.simple-container/cache/security/. Config: comprehensive SecurityConfig with SBOM, Provenance, Scan types (not just Signing). Tools: installer.go validates tool availability (cosign v3.0.2+, syft v1.41.0+, grype v0.106.0+, trivy v0.68.2+), version.go checks version requirements, registry.go manages tool registry. API: add SecurityDescriptor to pkg/api/security_config.go and integrate with StackConfigSingleImage in pkg/api/client.go. Update cmd/schema-gen/main.go for JSON schema generation. Add comprehensive unit tests: cache_test.go, config_test.go, tools/*_test.go, context_test.go (enhance existing). Target 90%+ test coverage.

Files/Areas

  • pkg/security/cache.go (NEW)
  • pkg/security/config.go (NEW)
  • pkg/security/tools/installer.go (NEW)
  • pkg/security/tools/version.go (NEW)
  • pkg/security/tools/registry.go (NEW)
  • pkg/api/security_config.go (NEW)
  • pkg/api/client.go (MODIFY - add Security *SecurityDescriptor field)
  • cmd/schema-gen/main.go (MODIFY - add security schema generation)
  • pkg/security/cache_test.go (NEW)
  • pkg/security/config_test.go (NEW)
  • pkg/security/context_test.go (NEW - comprehensive)
  • pkg/security/tools/installer_test.go (NEW)
  • pkg/security/tools/version_test.go (NEW)
  • pkg/security/executor.go (MODIFY - use new config types)

Acceptance Criteria

  • Cache.Set() and Cache.Get() store and retrieve results by CacheKey(operation, imageDigest, configHash)
  • Cache implements TTL expiration: SBOM 24h, scan-grype 6h, scan-trivy 6h
  • Cache stores data in ~/.simple-container/cache/security/ with proper file permissions (0600)
  • SecurityConfig includes comprehensive types: Enabled, Signing, SBOM, Provenance, Scan with all nested config structs
  • SBOMConfig includes: enabled, format (cyclonedx-json/spdx-json/etc), output, required fields
  • ProvenanceConfig includes: enabled, format (slsa-v1.0), output, includeGit, includeDockerfile, required fields
  • ScanConfig includes: enabled, tools []ScanToolConfig, failOn (critical/high/medium/low), warnOn, required fields
  • ToolInstaller.CheckInstalled() validates tool availability in PATH and returns clear errors with installation URLs
  • ToolVersionChecker.ValidateVersion() checks minimum versions: cosign v3.0.2+, syft v1.41.0+, grype v0.106.0+, trivy v0.68.2+
  • ToolRegistry maintains registry of available tools with metadata (name, command, minVersion, installURL)
  • pkg/api/security_config.go defines SecurityDescriptor matching pkg/security types
  • pkg/api/client.go StackConfigSingleImage has Security *SecurityDescriptor field
  • pkg/api/client.go ComposeService has Security *SecurityDescriptor field
  • cmd/schema-gen/main.go generates JSON schemas for SecurityDescriptor, SigningConfig, SBOMConfig, ProvenanceConfig, ScanConfig in docs/json-schemas/
  • Unit tests achieve 90%+ coverage: cache_test.go, config_test.go, context_test.go, tools/*_test.go
  • SecurityExecutor.ValidateConfig() uses new comprehensive config model and validates all fields
  • Config validation checks: signing.privateKey required when keyless=false, sbom.format in allowed list, scan.failOn in [critical,high,medium,low]

Design Documentation

  • docs/design/container-security/IMPLEMENTATION_STATUS.md
  • docs/design/container-security/component-design.md
  • docs/design/container-security/api-contracts.md
  • docs/design/container-security/implementation-plan.md

Notes

This task completes Phase 1 foundation. See IMPLEMENTATION_STATUS.md for detailed gap analysis. See component-design.md 'Core Components' section (lines 1-261) for Cache and Config designs. See api-contracts.md 'Core Types' section (lines 1-180) for type specifications. Current SecurityConfig in executor.go is minimal and needs expansion.

Dependencies

  • Builds on existing Phase 1 work (executor.go, context.go, errors.go, tools/command.go)
  • Requires Go 1.21+
  • External tools checked but not installed by code

Priority: high

This issue was automatically created by the Multi-Role Orchestration system.

Metadata

Metadata

Assignees

No one assigned

    Labels

    devTriggers Simple Forge's Software Developer role to start working on the issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions