Supply Chain Security for Container Images

Supply Chain Security for Container Images

Software Bill of Materials (SBOM) provides transparency into image contents. SBOMs list all components, libraries, and dependencies within images. This transparency enables vulnerability tracking even for components not directly managed. SPDX and CycloneDX provide standard SBOM formats supported by various tools.

Provenance attestation proves image build processes and sources. In-toto and SLSA frameworks define standards for capturing build provenance. This includes recording build environment, inputs, and processes. Provenance verification ensures images come from trusted build systems using approved processes.

# SLSA provenance attestation example
apiVersion: in-toto.io/v1
kind: Statement
metadata:
  predicateType: https://slsa.dev/provenance/v0.2
subject:
- name: registry.company.com/app
  digest:
    sha256: abc123def456...
predicate:
  builder:
    id: https://github.com/company/builders/docker
  buildType: https://github.com/company/docker-build/v1
  invocation:
    configSource:
      uri: git+https://github.com/company/app@refs/heads/main
      digest:
        sha1: 7fd1a60b01f91b3ef2e8e8c8f8e8e8e8e8e8e8e8
      entryPoint: .github/workflows/build.yml
  materials:
  - uri: git+https://github.com/company/app
    digest:
      sha1: 7fd1a60b01f91b3ef2e8e8c8f8e8e8e8e8e8e8
  - uri: docker://node:16-alpine
    digest:
      sha256: 789abc012def...
  buildConfig:
    steps:
    - command: ["docker", "build", "-t", "app:latest", "."]
    - command: ["trivy", "image", "app:latest"]
    - command: ["cosign", "sign", "app:latest"]
  metadata:
    buildInvocationId: "https://github.com/company/app/actions/runs/123456"
    buildStartedOn: "2023-11-20T10:00:00Z"
    buildFinishedOn: "2023-11-20T10:15:00Z"
    completeness:
      parameters: true
      environment: false
      materials: true
    reproducible: false

Dependency management for container images requires tracking direct and transitive dependencies. Languages like JavaScript, Python, and Go pull numerous dependencies that might contain vulnerabilities. Tools analyzing dependency trees help identify vulnerable components deep in dependency chains. Automated dependency updates with security testing ensure timely patching.