tldr - powered by Generative AI

• Container scanning and security is becoming more widely adopted, but the long-term security posture of containers is not well-understood.
• New vulnerabilities arise constantly, and many vulnerabilities fall into a catchall bucket of 'won't fix'.
• The attack surface of popular public container images like Python and NodeJS has changed over the past year, and different vulnerability scanners show different results.
• Developers and DevSecOps teams face challenges in ensuring containerized applications are free from vulnerabilities due to the complexity of containers and manual processes.
• Practical steps can be taken to stay on top of vulnerabilities and prevent the dev process from grinding to a halt.

tldr - powered by Generative AI

• Provenance and reproducibility are major issues in the current state of security in IT.
• The distroless philosophy and using smaller base images can save from scan report purgatory.
• Updating images and dependencies is crucial.
• Using apko to build container images with SBOMs and complete reproducibility.
• Signing images with Sigstore.
• Cutting down dependencies by using smaller base images and keeping them up to date.
• Verifying signatures and using policy management tools to check for vulnerabilities.
• The vulnerability exploitability exchange can help filter vulnerabilities and cut down noise.
• Google container tools and digital images are small and perfect for running statically compiled binaries.
• The drawbacks of using Google container tools include a hard-to-extend list and difficulty in installing apps.
• Cutting down images to the minimum set of dependencies can drastically reduce noise in vulnerability reports.