1 of 11

SOFTWARE SUPPLY CHAIN

ADVENTURES IN CONTAINER OPERATIONS AND MAINTENANCE

2 of 11

WHEN YOU’RE HOLDING THE MOON FOR RANSOM,�YOU VALUE STABILITY IN AN APPLICATION.

3 of 11

OFFICIAL IMAGES ARE PRETTY GOOD

4 of 11

OFFICIAL IMAGES ARE PRETTY GOOD?

5 of 11

SOME IMAGES ARE OFFICIALLY TOYS/DEMOS

6 of 11

JENKINS USED “DOCKER PULL”.�IT WASN’T VERY EFFECTIVE.

7 of 11

ДОВЕРЯЙ, НО ПРОВЕРЯЙ

Vulnerability Scanners

And more…

Container Image Registries

  • Harbor, https://goharbor.io/ (uses Trivy)
  • Amazon ECR (uses Clair)

And others…

8 of 11

SAMPLE SCAN RESULTS

9 of 11

FALSE ALARM

10 of 11

OTHER THINGS TO LOOK FOR

11 of 11

IF WISHES WERE FISHES

  • Posted, easily found release engineering information
  • Frequently updated upstream container images
  • Variety of container image tags to support different risk appetites
  • Routine vulnerability scanning integrated with CI/CD infrastructure
  • Intelligent vulnerability scan results processing