Building images for the secure supply chain

During CloudNativeSecurityCon in Detroit, I gave a presentation on how the industry can do a better job of building secure container images. For those that were unable to attend the conference or join the session, the slides and full recording are now available.

Here’s a quick look at the major takeaways from the presentation:

‍

• Start signing your images if you haven’t already. Sigstore and tools like cosign make this really simple, so it’s an easy win that everyone should be doing.

• A lot of people are struggling with “scanner noise”; it’s difficult to keep up with all the vulnerabilities in container images reported by tools. The answer here is to look into reducing the number of dependencies in your images and be aggressive about keeping them up-to-date with latest releases (hint - try out our Chainguard Images!)

• Ideally, we would be able to instantly identify our exposure to new vulnerabilities. In reality, no-one can do this right now. The hope is that Software Bills of Material (SBOMs) will help to address this in the future.

‍

If you have any questions or comments on the topics covered during the talk, please reach out: Twitter @adrianmouat or LinkedIn.