DevOps and Docker Talk: Cloud Native Interviews and Tooling

Chainguard: Building Secure Container Images

May 3, 2024

Dan Lorenc, from Chainguard, shares insights on creating secure container images, emphasizing the importance of minimalism to enhance security. He discusses the ramifications of the recent XZ supply chain attack and how Chainguard addresses vulnerability management. Dan highlights the benefits of their zero CVE approach, the launch of Chainguard images on Docker Hub, and the need for proactive security practices. He also elaborates on tools for reducing attack surfaces and the significance of frameworks like SLSA in bolstering software security.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ANECDOTE

Long-Term Supply Chain Attack Story

A nation state actor patiently gained maintainer control of XZ over two years to inject a stealthy backdoor.
The backdoor leveraged cryptographic keys for exclusive access and was discovered by pure luck due to performance issues.

INSIGHT

Source Package Verification Gap

The critical gap in supply chain security is the missing verification link between source repo code and distributed source packages.
The XZ attack exploited this by hiding malware in the source upload, not the Git repository.

ADVICE

Chainguard Images on Docker Hub

Chainguard now mirrors its free baseline container images to Docker Hub for maximum accessibility.
Users can verify image signatures and digests to avoid supply chain compromises when pulling from Docker Hub.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Bret and Nirmal are joined by Dan Lorenc from Chainguard to walk them through Chainguard's approach to building secure, minimal container images for popular open source software.

🙌 My next course is coming soon! I've opened the waitlist for those wanting to go deep in GitHub Actions for DevOps and AI automation in 2025. I'm so thrilled to announce this course. The waitlist allows you to quickly sign up for some content updates, discounts, and more as I finish building the course.
https://courses.bretfisher.com/waitlist 🍾

They discuss why it is important to have secure and minimal container images. Dan explains how Chainguard helps remove the pain of CVEs, laggy software updates and patches and much more. Chainguard is now available also on Docker Hub.

They spend the first part of the show talking about the week's big news: the XZ supply chain attack, and Dan was the best man to explain it. They also touch on CVEs, things you can do to reduce the attack surface, SLSA, and more during this jam-packed show.

There's a video version you can watch on YouTube

★Topics★
Chainguard Website
Vulnerability Management Certification course
True Cost of Vulnerability Management
Chainguard Images
Chainguard on Docker Hub Announcement

Creators & Guests

Cristi Cotovan - Editor
Beth Fisher - Producer
Bret Fisher - Host
Nirmal Mehta - Host
Dan Lorenc - Guest

(00:00) - Intro
(05:14) - Dan's Take on the XZ Hack
(14:59) - Chainguard Distro Creation
(21:21) - Chainguard in Docker Hub Announcement
(24:26) - Free Images vs Private Images
(26:27) - Zero CVE Approach
(28:33) - Ways to Reduce Attack Surfaces
(39:56) - Chainguard Academy
(41:08) - Real Time Antivirus Malware Scanner
(43:52) - Google Distro Lists Worth Using
(45:56) - Chainguard for Buildpacks
(46:20) - SLSA
(56:08) - What's Next for Chainguard?
(56:52) - Getting Started with Chainguard

You can also support my free material by subscribing to my YouTube channel and my weekly newsletter at bret.news!

Grab the best coupons for my Docker and Kubernetes courses.
Join my cloud native DevOps community on Discord.
Grab some merch at Bret's Loot Box
Homepage bretfisher.com