The presentation discusses the use of S-BOMs and container images in DevOps and cybersecurity, and the challenges in ensuring reproducibility and repeatability in container builds.
- The speaker highlights the importance of using S-BOMs and container images in DevOps and cybersecurity.
- The speaker demonstrates the use of BuildKit and TUF to ensure reproducibility and repeatability in container builds.
- The speaker also discusses the need for changes in the OCI image and distribution specs to support artifact management.
- The presentation includes a demo of building and signing container images and S-BOMs using BuildKit, TUF, and Cosign.
The speaker demonstrates the use of BuildKit and TUF to build a container image with Python 3 installed, and then uses TUF to generate an S-BOM for the image. The speaker then shows how to use BuildKit to build a new container image on top of the previous one, and uses TUF to generate an S-BOM for the new image. The speaker emphasizes the importance of using S-BOMs to track the software components in container images and ensure their security and compliance.
A Software Bill of Materials or SBoM is a list of software components that comprise a software artifact, be it firmware, OS, a VM, and yes, a container. We can generate an SBoM for container images post build using image scanners like Claire, Trivy, Tern, and Syft. This method is not foolproof, however, as they rely on metadata existing in the container filesystem (such as package manifests) in order to report on them. If a container goes through a multistage build or tools like Docker-slim to reduce the attack surface of the container, all that metadata is gone. How do we get more accurate and consistent SBoMs for containers? We generate them at container build time. This talk demonstrates how we can do that with tools like Tern, Buildah, and the OCI specification. We will get back to the basics of building containers, learn about the OCI specification, and make a container builder which can generate an SBoM at build time.