Merge pull request #473 from eclipse-tractusx/make-aligned-base-image…

…-trg-more-precise
eclipse-tractusx · Nov 8, 2023 · 92d4b9d · 92d4b9d
2 parents 9b1b3e3 + a885a4c
commit 92d4b9d
Showing 1 changed file with 18 additions and 7 deletions.
diff --git a/docs/release/trg-4/trg-4-02.md b/docs/release/trg-4/trg-4-02.md
@@ -13,17 +13,23 @@ Proposed release date: "mandatory after": 19th of May 2023
 
 ## Why
 
-Due to legal constrains we need to annotate the released container images to make it clear that we do our best to provide good images for demo purposes,
-but we do not provide any legal guarantee. To make that process easy, we are aligning on agreed base images for specific
-languages and use an aligned section to describe the base image.
+As part of our legal due diligence, we need to provide the best information possible about our distributed (published) Docker images.
+Similar to our 3rd-party dependency scans and the `DEPENDENCIES` file, Docker images also have to be scanned and the results published.
+We want to help you to keep a high standard process, by defining guidelines, described in this TRG.
 
 ## Description
 
-Since many of our Eclipse Tractus-X product use the same language, we are aligning on a dedicated container base image
-per language.
+As Eclipse Tractus-X project, we don't have automated processes for publishing container scan results (yet). This is why we use information that is already gathered for us.
+DockerHub is running container scans for all [official images](https://docs.docker.com/trusted-content/official-images/)
+and is publishing the scans result in the [docker-library/repo-info repository](https://github.com/docker-library/repo-info).
+
+We are leveraging this information by restricting the base images we use for our published container images to a minimal set.
+Aligning on specific base images also gives us the opportunity to provide you with templates for the legal notice,
+like described in [TRG 4.06 -  Notice for docker images](./trg-4-06.md)
+
 The following table lists container base images, that are already agreed on.
 
-| Language / Runtime / OS       | Container base image                                                       | Notes                                                    |
+| Language / Runtime / OS   | Container base image                                                       | Notes                                                    |
 |---------------------------|----------------------------------------------------------------------------|----------------------------------------------------------|
 | Java / Kotlin / JVM based | [Eclipse Temurin](https://hub.docker.com/_/eclipse-temurin)                | prefer JRE over JDK and alpine tags for your JRE version |
 | JS frontends              | [nginx-unprivileged](https://hub.docker.com/r/nginxinc/nginx-unprivileged) | prefer :stable-alpine tag                                |
@@ -35,5 +41,10 @@ If the language or runtime environment of your product is not listed above, feel
 and propose your preferred container images as base image.
 
 :::info
-Also be aware of the necessary references to the used base image and your products Dockerfile(s) described in [TRG 4.06](./trg-4-06.md)
+As stated in the description above, base image usage is particularly aligned for container images, that we distribute by publishing them on DockerHub.
+In case you are using Docker images for build or testing purposes (for example pandoc or cypress, etc.) and you do not publish the images,
+you can use other publicly available image, as long as the tools are open source license compliant.
+
+For automated TRG checks, you can skip base image checks on Dockerfiles by declaring it in the `.tractusx` metadata files.
+Details can be found in the [metadata file documentation](https://github.com/eclipse-tractusx/tractusx-quality-checks/blob/main/docs/metadata_file.md)
 :::