What’s the best way to manage supply chain risks for Helm charts and container images?

In our small team, we've opted for CNCF alternatives when possible, but we also stick to official releases and hope they stay available. We use a local Harbor registry as a proxy for images, and we run vulnerability scans on it. It's not perfect, but we're making progress in reducing our vendor dependency.

Having an internal mirror for charts and images is pretty standard for production workloads these days, especially after the Bitnami incident. It provides stability and control, which is vital for air-gapped or compliance-heavy environments. Alongside mirroring, it’s wise to standardize on a set of maintained, predictable base images to avoid surprises with deprecation or missing patches. At my company, we focus on curated, near-zero CVE images from LTS distros, which helps reduce vulnerabilities. If you're interested in making your supply chain more resilient, check this out: [Bitnami Goes Behind Paywall: RapidFort's Curated Near-Zero CVE Images Offer Superior Alternative](https://www.rapidfort.com/blog/bitnami-goes-behind-paywall-rapidforts-curated-near-zero-cve-images-offer-superior-alternative). *Disclosure: I work for RapidFort* 🙂

We’re currently implementing a mix of JFrog Artifactory as a read-through cache alongside a local container store on GCP. If I had it my way, I would prefer using something like Harbor for all of this.

We bring external charts into our local Harbor instance and use that for deployments. It simplifies things quite a bit.

I focus on using minimal charts, even rewriting them if needed. For example, while some Helm charts create complex setups, I only use what's necessary for my deployment scenarios.