Building Images for the Secure Supply Chain - Adrian Mouat, Chainguard
Abstract
Security scans getting you down? Users complaining they can’t verify your images? Have no idea if your systems are vulnerable to the latest exploit? Want to improve your SLSA level but don’t know where to start? You’re not alone – all organisations face these issues. This talk will walk through techniques and tooling that you can use today to address these concerns. In particular it will cover: - The distroless philosophy; why minimal images can save you from scan report purgatory - The importance of updating images and dependencies - Using apko to build container images with SBOMs and complete reproducibility - Signing images with Sigstore The best bit? These tools and techniques will make your systems simpler and faster. Adding security doesn’t have to mean hurting usability or productivity.