steampipe plugin install oci

Table: oci_artifacts_container_image_signature - Query OCI Artifacts Container Image Signatures using SQL

Oracle Cloud Infrastructure's (OCI) Artifacts service is a fully managed, scalable, and secure artifact storage and sharing service. OCI Artifacts allows you to share container images within and across regions and tenancies. OCI Artifacts Container Image Signatures are cryptographic proofs that are used to verify the authenticity and integrity of OCI Artifacts Container Images.

Table Usage Guide

The oci_artifacts_container_image_signature table provides insights into the cryptographic signatures associated with OCI Artifacts Container Images. As a security analyst, you can use this table to explore signature-specific details, including the cryptographic algorithm used, the key used for signing, and the signature value. This can be beneficial for verifying the authenticity and integrity of the container images in your OCI environment.

Examples

Basic info

Explore which OCI artifacts container image signatures have been created, by whom, and with what key and algorithm. This can help in understanding the security and accountability aspects of your OCI artifacts.

select
display_name,
id,
created_by,
image_id,
kms_key_id,
kms_key_version_id,
message,
signature,
signing_algorithm
from
oci_artifacts_container_image_signature;
select
display_name,
id,
created_by,
image_id,
kms_key_id,
kms_key_version_id,
message,
signature,
signing_algorithm
from
oci_artifacts_container_image_signature;

List signatures created in last 30 days

Explore which signatures have been created in the past 30 days. This is useful for keeping track of recent activity and ensuring all newly created signatures are valid and authorized.

select
display_name,
id,
time_created,
image_id,
message,
signature
from
oci_artifacts_container_image_signature
where
time_created >= now() - interval '30' day;
select
display_name,
id,
time_created,
image_id,
message,
signature
from
oci_artifacts_container_image_signature
where
time_created >= datetime('now', '-30 day');

Get image details of each signature

Explore the details of each digital signature associated with a container image, including the identity of the image and its lifecycle state. This can be useful to understand the usage and status of these images, especially in scenarios where image verification and integrity are crucial.

select
s.display_name,
s.id,
s.signature,
s.signing_algorithm,
s.image_id,
i.digest,
i.lifecycle_state,
i.manifest_size_in_bytes,
i.pull_count
from
oci_artifacts_container_image_signature as s,
oci_artifacts_container_image as i
where
i.id = s.image_id;
select
s.display_name,
s.id,
s.signature,
s.signing_algorithm,
s.image_id,
i.digest,
i.lifecycle_state,
i.manifest_size_in_bytes,
i.pull_count
from
oci_artifacts_container_image_signature as s
join oci_artifacts_container_image as i on i.id = s.image_id;

Get KMS key details used by each image signature

Determine the specific encryption key details associated with each image signature to gain insights into security measures. This can help identify any irregularities or potential vulnerabilities in the encryption process.

select
s.display_name,
s.id,
s.kms_key_version_id,
v.key_id,
v.vault_id,
v.public_key,
v.origin
from
oci_artifacts_container_image_signature as s,
oci_kms_key_version as v
where
v.id = s.kms_key_version_id;
select
s.display_name,
s.id,
s.kms_key_version_id,
v.key_id,
v.vault_id,
v.public_key,
v.origin
from
oci_artifacts_container_image_signature as s,
oci_kms_key_version as v
where
v.id = s.kms_key_version_id;

List signatures with RSA signining algorithm

Determine the areas in which the RSA signing algorithm is used for signatures. This is beneficial for assessing the security measures in place across different segments.

select
display_name,
id,
message,
signature,
signing_algorithm
from
oci_artifacts_container_image_signature
where
signing_algorithm = 'RSA';
select
display_name,
id,
message,
signature,
signing_algorithm
from
oci_artifacts_container_image_signature
where
signing_algorithm = 'RSA';

Schema for oci_artifacts_container_image_signature

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
compartment_idtext=The OCID of the compartment in Tenant in which the resource is located.
created_bytextThe id of the user or principal that created the resource.
display_nametext=The last 10 characters of the kmsKeyId, the last 10 characters of the kmsKeyVersionId, the signingAlgorithm, and the last 10 characters of the signatureId.
idtext=The OCID (https://docs.cloud.oracle.com/Content/General/Concepts/identifiers.htm) of the container image signature.
image_idtextThe OCID (https://docs.cloud.oracle.com/Content/General/Concepts/identifiers.htm) of the container image.
kms_key_idtext=The OCID (https://docs.cloud.oracle.com/Content/General/Concepts/identifiers.htm) of the kmsKeyId used to sign the container image.
kms_key_version_idtext=The OCID (https://docs.cloud.oracle.com/Content/General/Concepts/identifiers.htm) of the kmsKeyVersionId used to sign the container image.
messagetextThe base64 encoded signature payload that was signed.
signaturetextThe signature of the message field using the kmsKeyId, the kmsKeyVersionId, and the signingAlgorithm.
signing_algorithmtext=The algorithm to be used for signing. These are the only supported signing algorithms for container images.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
tenant_idtext=, !=, ~~, ~~*, !~~, !~~*The OCID of the Tenant in which the resource is located.
time_createdtimestamp with time zoneTime that Container Image Signature was created.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- oci

You can pass the configuration to the command with the --config argument:

steampipe_export_oci --config '<your_config>' oci_artifacts_container_image_signature