docs(oci): add security warning for insecure registry flag

l-qing · l-qing · commit 246f3dc520f5 · 2025-12-17T13:41:48.000+08:00
Add comprehensive security warning documentation for the
storage.oci.repository.insecure configuration option,
highlighting:
- Production environment risks
- Man-in-the-Middle attack vulnerabilities
- SLSA guarantee violations
- Development-only usage recommendations
diff --git a/docs/config.md b/docs/config.md
@@ -78,6 +78,18 @@ Supported keys include:
 | `storage.grafeas.notehint` (optional)            | This field is used to set the [human_readable_name](https://github.com/grafeas/grafeas/blob/cd23d4dc1bef740d6d6d90d5007db5c9a2431c41/proto/v1/attestation.proto#L49) field in the Grafeas ATTESTATION note. If it is not provided, the default `This attestation note was generated by Tekton Chains` will be used. |                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |         |
 | `storage.archivista.url`         | The URL endpoint for the Archivista service.                                                                                                                                                                                                                                                                     | A valid HTTPS URL pointing to your Archivista instance (e.g. `https://archivista.testifysec.io`).                                                                                                                                                                                                                                                                                                                      | None |
 
+> [!WARNING]
+> **Security Considerations for `storage.oci.repository.insecure`**
+>
+> The `storage.oci.repository.insecure` flag allows connecting to OCI registries without TLS certificate verification. This feature is designed to ease developer overhead during testing and development where setting up HTTPS might be cumbersome.
+>
+> **Security Risks:**
+> - **Production Environment Risk**: Enabling this flag in production environments can lead to serious security compromises. Administrators must ensure this flag is only enabled for development and testing purposes.
+> - **Man-in-the-Middle Attacks**: Skipping TLS certificate verification makes the connection vulnerable to man-in-the-middle attacks where provenance could be tampered with.
+> - **SLSA Guarantees Violation**: Tampered provenance can lead to violation of SLSA (Supply chain Levels for Software Artifacts) guarantees that Tekton Chains promises to provide.
+>
+> **Recommendation**: Only use `storage.oci.repository.insecure: true` in development or test environments. For production deployments, always use secure HTTPS connections with valid TLS certificates (`storage.oci.repository.insecure: false`, which is the default).
+
 #### docstore
 
 You can read about the go-cloud docstore URI format [here](https://gocloud.dev/howto/docstore/). Tekton Chains supports the following docstore services:
