Add info
Some checks failed
Gitea Actions Demo Training / Explore-Gitea-Actions (push) Failing after 0s

This commit is contained in:
2023-11-07 15:44:20 +01:00
parent 600897d0c6
commit 4e72b1e778
2 changed files with 82 additions and 4 deletions

View File

@@ -9,3 +9,6 @@
- 👷🏼‍♂️ Devops/Gitops/Cloud/Container/Cluster/Linux engineer (Pick one)
- 🎯 Passion: Secure K8S clusters (air-gapped) running secure containers
Disclaimer: The tools and applications shown in this presentation often have many alternatives that are equally good. The same applies to the opinion of the presenter.

View File

@@ -13,11 +13,9 @@ Read them and store them.... (Create them if you have to)
---
## SBOMs help, they do
## Know what you deploy
Imagine that you download and run a Python application in your cluster do you know which software components are present in the image? And which CVE's are present?
It does make a difference how the image was build. Which one do you prefer and why given the following `Dockerfile``:
Imagine that you download and run a Python application in your cluster. Which one do you prefer and why given the following `Dockerfile``:
```bash
FROM python:latest
@@ -35,8 +33,85 @@ COPY worker.py /
CMD ["python", "worker.py"]
```
And why?
---
## The only difference is the base image
- But the end result is quite different:
| Base image | Image size | CVE's |
|---|---|---|
| python:latest | 888 Mb | 1114 |
| python:alpine | 73,5 Mb | 3 |
(Scanning was done with `grype` and since the writing of this presentation the numbers have increased)
How often do you want to scan your images?
---
<!--
## The 'full' python image has even `gcc` included....
```bash
docker run --rm --entrypoint gcc -it python-latest:latest
gcc: fatal error: no input files
compilation terminated.
```
```bash
docker run --rm --entrypoint gcc python-alpine:latest
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "gcc": executable file not found in $PATH: unknown.
```
---
--->
## Providing information about software components
More and more organisations want to know which software components they are about to deploy in a well know format. Executive Order 14028 on Improving the Nation's Cybersecurity does the same.
This format is known as `SBOM` with already several versions.
Most often this is a JSON formatted file, a snippet looks like:
```json
"artifacts": [
{
"id": "60671fb38be80921",
"name": "Simple Launcher Executable",
"version": "1.1.0.14",
"type": "dotnet",
"foundBy": "dotnet-portable-executable-cataloger",
"locations": [
{
"path": "/usr/local/lib/python3.11/site-packages/pip/_vendor/distlib/t32.exe",
"layerID": "sha256:cd9f081b2669b644feeada02c0071c964673c221b6e44a42c44581d28ca18e2a"
}
],
"licenses": [],
"language": "",
"cpes": [
"cpe:2.3:a:Simple_Launcher_Executable:Simple_Launcher_Executable:1.1.0.14:*:*:*:*:*:*:*"
],
"purl": "pkg:nuget/Simple%20Launcher%20Executable@1.1.0.14",
"metadataType": "DotnetPortableExecutableMetadata",
"metadata": {
"assemblyVersion": "",
"legalCopyright": "Copyright (C) Simple Launcher User",
"internalName": "t32.exe",
"companyName": "Simple Launcher User",
"productName": "Simple Launcher",
"productVersion": "1.1.0.14"
}
},
```
## Foreknowledge of CVE's
Knowing upfront which CVE's will be deployed
## Deployment prevention
Inspecting SBOM's is best done before deploying containers and friends. Prevention is always best.