OCI容器镜像供应链治理（SBOM-签名-拉取策略）最佳实践

**实现示例** ```ts type Image = { name: string; tag: string; digest: string } type Sig = { alg: 'RS256'; kid: string; b64: string } type Policy = { allowRegistries: Set; pull: 'Always' | 'IfNotPresent' } function hex64(h: string): boolean { return /^[A-Fa-f0-9]{64}$/.test(h) } function validImage(i: Image, p: Policy): boolean { try { const url = new URL(`https://${i.name}`) return p.allowRegistries.has(url.origin) && !!i.tag && hex64(i.digest) } catch { return false } } function validSig(s: Sig): boolean { return s.alg === 'RS256' && !!s.kid && /^[A-Za-z0-9+/=]+$/.test(s.b64) } function allowPull(i: Image, s?: Sig, p?: Policy): boolean { if (!p || !validImage(i, p)) return false if (p.pull === 'Always') return !!s && validSig(s) return true } ``` **审计与运行治理** - 审计镜像来源、摘要与签名；策略 `Always` 必须签名通过。 - SBOM与镜像绑定并归档；异常阻断拉取并回退到可信版本。