Building images for the secure supply chain

Adrian Mouat, Staff OSS Engineer

December 27, 2022

During CloudNativeSecurityCon in Detroit, I gave a presentation on how the industry can do a better job of building secure container images. For those that were unable to attend the conference or join the session, the slides and full recording are now available.

Here’s a quick look at the major takeaways from the presentation:

‍

Start signing your images if you haven’t already. Sigstore and tools like cosign make this really simple, so it’s an easy win that everyone should be doing.
A lot of people are struggling with “scanner noise”; it’s difficult to keep up with all the vulnerabilities in container images reported by tools. The answer here is to look into reducing the number of dependencies in your images and be aggressive about keeping them up-to-date with latest releases (hint - try out our Chainguard Images!)
Ideally, we would be able to instantly identify our exposure to new vulnerabilities. In reality, no-one can do this right now. The hope is that Software Bills of Material (SBOMs) will help to address this in the future.

‍

If you have any questions or comments on the topics covered during the talk, please reach out: Twitter @adrianmouat or LinkedIn.

Ready to Lock Down Your Supply Chain?

Talk to our customer obsessed, community-driven team.

Talk to an expert

Our Products

Chainguard Containers

Chainguard Libraries

Chainguard VMs

Images Directory

By Use Case

Container Image Security

Vulnerability Remediation

Compliance & Risk Mitigation

Software Supply Chain Security

AI/ML Security

Resource Hub

Unchained Blog

Events

Trust Center

Education

Documentation

Courses

Featured Event

Building images for the secure supply chain

Ready to Lock Down Your Supply Chain?