logo
allArticlesConferencesPresentations

Back to the Drawing Board: Building Containers with SBoMs

Conference:  KubeCon + CloudNativeCon North America 2021

2021-10-13

Authors:   Nisha Kumar

Summary

The presentation discusses the use of S-BOMs and container images in DevOps and cybersecurity, and the challenges in ensuring reproducibility and repeatability in container builds.
  • The speaker highlights the importance of using S-BOMs and container images in DevOps and cybersecurity.
  • The speaker demonstrates the use of BuildKit and TUF to ensure reproducibility and repeatability in container builds.
  • The speaker also discusses the need for changes in the OCI image and distribution specs to support artifact management.
  • The presentation includes a demo of building and signing container images and S-BOMs using BuildKit, TUF, and Cosign.
The speaker demonstrates the use of BuildKit and TUF to build a container image with Python 3 installed, and then uses TUF to generate an S-BOM for the image. The speaker then shows how to use BuildKit to build a new container image on top of the previous one, and uses TUF to generate an S-BOM for the new image. The speaker emphasizes the importance of using S-BOMs to track the software components in container images and ensure their security and compliance.

Abstract

A Software Bill of Materials or SBoM is a list of software components that comprise a software artifact, be it firmware, OS, a VM, and yes, a container. We can generate an SBoM for container images post build using image scanners like Claire, Trivy, Tern, and Syft. This method is not foolproof, however, as they rely on metadata existing in the container filesystem (such as package manifests) in order to report on them. If a container goes through a multistage build or tools like Docker-slim to reduce the attack surface of the container, all that metadata is gone. How do we get more accurate and consistent SBoMs for containers? We generate them at container build time. This talk demonstrates how we can do that with tools like Tern, Buildah, and the OCI specification. We will get back to the basics of building containers, learn about the OCI specification, and make a container builder which can generate an SBoM at build time.
Materials:
Tags:
Software Bill of Materials
SBOM
container images
post build
image scanners

Post a comment

Related work

Improve Vulnerability Management with OCI Artifacts – It Is That Easy!

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Itay Shakury, Toddy Mladenov
2023-04-20

SBOM X-Ray Superpowers: Making Better SBOMs, Using SBOMs

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Brandon Lum, Chris Phillips
2022-10-26

Managing Application Level SBOMs with Ortelius

Conference:  SupplyChainSecurityCon 2022
Authors: Tracy Ragan
2022-06-22

OmniBOR: Bringing the Receipts for Supply Chain Security

Conference:  Cloud Native SecurityCon North America 2023
Authors: Frederick Kautz

Spicing up Container Image Security with SLSA & GUAC

Conference:  Cloud Native SecurityCon North America 2023
Authors: Ian Lewis

From SBOMs to IBOMs - Know What's Happening in Your Clusters

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Ido Neeman
2023-04-19