Distributing Supply Chain Artifacts with OCI & ORAS Artifacts


Authors:   Steve Lasker


Best practices for managing and consuming public content and software in DevOps and cybersecurity
  • Keep a copy of the software and supply chain artifacts as close as possible to the deployment location
  • Automate builds and testing, and generate new supply chain artifacts
  • Scan and patch all deployed software, even if it's archived for compliance
  • Associate S-bombs and other claims with software versions in the registry
  • Add annotations to improve information over time
The speaker discussed the importance of keeping a tested copy of software in a location that can be depended upon, similar to how we rely on the refrigerator in our homes for fresh milk. They also emphasized the need to scan and patch all software, even if it's archived for compliance, and to associate S-bombs and other claims with software versions in the registry. Additionally, they highlighted the value of adding annotations to improve information over time.


In a world of continuous supply chain attacks, secure distribution matters more than ever. Your images are now signed, with systems bill of materials (SBOM) and frequent scan results. How will you consume them from public endpoints, promoting them across environments into private network environments where there's no external access? ORAS Artifacts lifts OCI Artifacts to the next level by enabling graphs of artifact relationships to be established. When you archive or delete any given container image, the related artifacts are archived or deleted as well, providing predictable lifecycle management. ORAS Artifacts enable you to build upon the hardened, performant, securely distributed registries you're already using. Come see how registries are evolving, enabling all your cloud-native artifacts to be distributed from the public registries to your private environments, wherever they may be.Click here to view captioning/translation in the MeetingPlay platform!


Post a comment