Skip to content

Commit 37fcf42

Browse files
committed
Add notes on chainguard
1 parent ebc4175 commit 37fcf42

2 files changed

Lines changed: 70 additions & 0 deletions

File tree

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
# Taming Vulnerability Chaos
2+
3+
> Taming vulnerability chaos across the multiverse of kubernetes and edge
4+
5+
## The problem
6+
7+
From virus scanners to binary scanners, they scan binary signatures, file patterns and resource usage. CVE scanners
8+
have a package database and do some metadata analysis. They differ in scanning techniques.
9+
10+
### Demo - Scanner comparison
11+
12+
When you do scanning on images, use digest pinning and always assume that image tags are mutable.
13+
When scanning images with Grype and Trivy, they differ in output, most notably on the vulerabilities without a fix.
14+
Trivy does not support vulnerabilities without a fix for alpine. This gives a false sense of security.
15+
16+
### Demo - SBOMs
17+
18+
Software Bill Of Materials describe all software and dependencies used. Why do this? When the next _log4j_ happens,
19+
you can quickly analyze where the code is used and which applications are impacted.
20+
21+
### Demo - Metadata manipulation
22+
23+
Some humans blindly trust scan results. Zero CVEs, let's use it! The demo shows that you can rename files in your image
24+
so they no longer match the CVE database. Now your image has 0 CVEs.
25+
26+
### Demo - Sigstore
27+
28+
When pusing the image to the registry, sign the digest because tags are mutable. Use sigstore in combination with Kubernetes
29+
admission controller to validate the images are not tampered with.
30+
31+
## Conclusion
32+
33+
- Supply chain security starts at the source
34+
- Generate SBOM during the build (apko and melange)
35+
- Use full provenance using sigstore
36+
- Reach level 3 SLSA
37+
38+
## Links
39+
40+
- <https://www.chainguard.dev/>
41+
- <https://github.com/aquasecurity/trivy>
42+
- <https://github.com/anchore/grype>
43+
- <https://www.chainguard.dev/unchained/introducing-wolfi-the-first-linux-un-distro-designed-for-securing-the-software-supply-chain>
44+
- <https://www.sigstore.dev/>
45+
- <https://slsa.dev/>
Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
# Workshop - Chainguard
2+
3+
Traditional open source is an insecure foundation for software development. The current
4+
status of CVE management is deeply broken. You pull an upstream image, scan it, and then
5+
filter through 100 CVEs.
6+
7+
> Shift left? More like shift the blame!
8+
9+
## Building Docker images
10+
11+
Don't use single stage docker builds. Multi-stage is better because no build dependencies are
12+
present in the final image. APKO + Melange is the ideal way according to Chainguard.
13+
14+
## Best practices
15+
16+
- Pin by digest, for immutability
17+
- Sign with Sigstore, for provenance and trust
18+
- Build SBOMs, for visibility and compliance
19+
- Enforce in CICD, for shift-left ~blaming~ security
20+
- Use admission policies, for guardrails at runtime (with Gatekeeper/Kyverno)
21+
22+
## Links
23+
24+
- <https://github.com/chainguard-dev/apko>
25+
- <https://images.chainguard.dev/directory/image/wolfi-base/versions>

0 commit comments

Comments
 (0)