Sign inContact usTry it out
Sign inContact usTry it out

Building images for the secure supply chain

Adrian Mouat, Staff OSS Engineer
  •  
December 27, 2022
The Case for Farm-to-Table Package Signing

During CloudNativeSecurityCon in Detroit, I gave a presentation on how the industry can do a better job of building secure container images. For those that were unable to attend the conference or join the session, the slides and full recording are now available. 

Here’s a quick look at the major takeaways from the presentation:

  • Start signing your images if you haven’t already. Sigstore and tools like cosign make this really simple, so it’s an easy win that everyone should be doing.
  • A lot of people are struggling with “scanner noise”; it’s difficult to keep up with all the vulnerabilities in container images reported by tools. The answer here is to look into reducing the number of dependencies in your images and be aggressive about keeping them up-to-date with latest releases (hint - try out our Chainguard Images!)
  • Ideally, we would be able to instantly identify our exposure to new vulnerabilities. In reality, no-one can do this right now. The hope is that Software Bills of Material (SBOMs) will help to address this in the future.

If you have any questions or comments on the topics covered during the talk, please reach out: Twitter @adrianmouat or LinkedIn.

The Case for Farm-to-Table Package Signing

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

More articles

Chainguard’s response to CVE-2023-4527 in glibc

Dan Luhring, Staff Software Engineer
  •  
September 25, 2023

A growing ecosystem of vulnerability scanners that now support Chainguard Images and Wolfi

Kim Lewandowski, Chief Product Officer
  •  
September 21, 2023

How to use Dockerfiles with wolfi-base images

Adrian Mouat, Staff DevRel Engineer
  •  
September 14, 2023

Don’t break the chain – secure your supply chain today!

Contact us
Please direct security disclosures or questions about our bug bounty program to security@chainguard.dev
Copyright 2022
BlogCareersLegalTerms

Sign up for our newsletter

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Unchained
Products
Chainguard Images
Reduce your attack surface with minimal, distroless images.
Chainguard Enforce
Manage, monitor and enforce end-to-end policies.
Chainguard Services
Infrastructure, configuration, and compliance assessment.
Developer
Resources
Company
Contact
Back
Docs
Open source
Back
Unchained blog
Chainguard labs
Customer stories
Education
Back
About
Newsroom
Careers
Back
About
Newsroom
Careers
Engineering

Building images for the secure supply chain

Adrian Mouat, Staff OSS Engineer
December 27, 2022
copied

During CloudNativeSecurityCon in Detroit, I gave a presentation on how the industry can do a better job of building secure container images. For those that were unable to attend the conference or join the session, the slides and full recording are now available. 

Here’s a quick look at the major takeaways from the presentation:

  • Start signing your images if you haven’t already. Sigstore and tools like cosign make this really simple, so it’s an easy win that everyone should be doing.
  • A lot of people are struggling with “scanner noise”; it’s difficult to keep up with all the vulnerabilities in container images reported by tools. The answer here is to look into reducing the number of dependencies in your images and be aggressive about keeping them up-to-date with latest releases (hint - try out our Chainguard Images!)
  • Ideally, we would be able to instantly identify our exposure to new vulnerabilities. In reality, no-one can do this right now. The hope is that Software Bills of Material (SBOMs) will help to address this in the future.

If you have any questions or comments on the topics covered during the talk, please reach out: Twitter @adrianmouat or LinkedIn.

Related articles
Engineering
Fully bootstrapping Go from source in Wolfi
August 11, 2023
Engineering
Good MLOps is good ML supply chain security
July 25, 2023
Engineering
OCI announces upcoming changes for registries
July 13, 2023
Products

Chainguard Images

Chainguard Enforce

Chainguard Services

Developer

Open source

Docs

Resources

Unchained blog

Chainguard Labs

Customer stories

Scanners

Security

Education

Company

About

Newsroom

Careers

Legal

Contact

Follow

Twitter

GitHub

LinkedIn

TikTok

© 2023 Chainguard, Inc.

Contact