Roadmap

Overview

At Ratify, our mission is to safeguard the container supply chain by ratifying trustworthy and compliant artifacts. We achieve this through a robust and pluggable verification engine that includes built-in verifiers. These verifiers can be customized to validate supply chain metadata associated with artifacts, covering essential aspects such as signatures and attestations (including vulnerability reports, SBOM, provenance data, and VEX documents). As the landscape of supply chain security evolves, we actively develop new verifiers, which can be seamlessly integrated into our verification engine. Additionally, if you have a specific use case, you can create your own verifier following our comprehensive guidance. Each verifier will generate detailed verification reports, which can be consumed by various policy controllers to enforce policies.

Ratify is designed to address several critical scenarios. It seamlessly integrates with OPA Gatekeeper, acting as the Kubernetes policy controller that shields your cluster from untrustworthy and non-compliant container images. As an external data provider for Gatekeeper, Ratify delivers artifact verification results that are in alignment with defined policies. Additionally, Ratify enhances security at the Kubernetes node level by extending its capabilities to container runtime through its plugin interface, which allows for detailed policy evaluations based on artifact verification outcomes. Lastly, incorporating Ratify into your CI/CD pipeline ensures the trustworthiness and compliance of container images prior to their usage.

This document presents the roadmap of Ratify that translates our strategy into practical steps.

Milestones

The Ratify roadmap is divided into milestones, each with a set of features (high level) and timeline. The milestones marked as Tentative are subject to change based on the project’s priorities and the community’s feedback. We will prioritize releases for security or urgent fixes, so the roadmap may be adjusted and new features may be postponed to the next milestone. Any dates and features listed below in a given milestone are subject to change. See the GitHub milestones for the most up-to-date issues and their status. We are targeting to release a new Ratify version every 3 or 4 months.

v1.0

Status: Completed

Released date: Sep 27, 2023

Release link: v1.0.0 Release Notes

Major features

Ratify as an external Data Provider for Gatekeeper
Plugin framework for extensibility
Policies for Notary Project signatures verification at admission control in kubernetes
Policies for Cosign keyless verification at admission control in kubernetes
High Availability support in Kubernetes (Experimental)

v1.1

Status: Completed

Release date: Dec 12, 2023

Release link: v1.1.0 Release Notes

Major features

Policies for assessing vulnerability reports at admission control in kubernetes
Policies for assessing software license at admission control in kubernetes
New diagnostic logs

v1.2

Status: Completed

Target date: May 31, 2024

Release link: v1.2.0 Release Notes

major features

Kubernetes multi-tenancy support (Namespace-specific policies)
OCI v1.1 compliance
Cosign signatures verification using keys in AKV

See details in GitHub milestone v1.2.0.

v1.3

Status: Completed

Target date: Sep 16, 2024

Release link: v1.3.0 Release Notes

Major features

Support of validating Notary Project signatures with timestamping
Support of periodic retrieval of keys and certificates stored in a Key Management System
Introducing trust policy configuration for Cosign keyless verification
Error logs improvements for artifact verification

See details in GitHub milestone v1.3.0.

v1.4

Status: Completed

Target date: Nov 30, 2024

Major features

Enable revocation checking using CRL (Certificate Revocation List) for Notary Project signatures
Add Trusted Signing as a Key Management Provider
Support retaining multiple previous versions of certificates/keys in Key Management Provider
Artifact filtering based on annotations

See details in GitHub milestone v1.4.0.

v2.0.0-alpha.1

Status: In procoess
Target date: May 15, 2025
Major features

Decouple Ratify core functionalities into a separate library(ratify-go), which could be easily integrated into different projects.
Design new interfaces for Verifier, Store, and PolicyEnforcer to make them more extensible and flexible.
Support notation-verifier under ratify-verifier-go in terms of the new Verifier interface.
Support Registry Store and local OCI layout in terms of the new Store interface.
Support config based policy in terms of the new PolicyEnforcer interface.
Create new external data provider for Gatekeeper based on the new framework.

Note

V2 milestones will cover a few sub-projects including libraries, CLI tools and external data provider.