What Changed
Added Docker image integrity verification function to both SAP data connector deployment scripts (sapcon-sentinel-kickstart.sh and sapcon-sentinel-ui-agent-kickstart.sh).
Security Impact (Supply Chain Protection)
The new verify_image_integrity() function addresses container supply chain attack vectors by:
- Extracting local image digest from docker inspect after pull completion
- Querying remote registry digest via docker manifest inspect as primary verification method
- Falling back to digest extraction from docker pull output when manifest inspection fails
- Terminating deployment with exit code 1 on any digest mismatch
This prevents scenarios where a compromised or man-in-the-middle attack could substitute malicious container images during the docker pull operation. Previously, the deployment scripts performed no post-pull verification that the downloaded image matched the intended registry artifact.
Deployment Impact
Deployments now perform an additional integrity check after Docker image download but before container instantiation. The verification step adds minimal overhead while closing a significant supply chain security gap in the SAP connector installation process.
Affected Files
Solutions/SAP/sapcon-sentinel-kickstart.sh
Solutions/SAP/sapcon-sentinel-ui-agent-kickstart.sh