My team has been struggling with manual SBOM validation for every image update required by our vendor, which takes us over 15 hours a week! We're constantly cross-referencing CVE feeds against overly complicated Ubuntu derivatives that include over 200 packages each, many of which we don't even use.
We really need base images with signed SBOMs, fast daily rebuilds, and a minimal attack surface. I'm tired of vendors offering enterprise-level security while piling on manual processes.
We considered Chainguard, but it became too costly for us. I've heard of Minimus, but my team is skeptical about it. What's been working for you? Please skip the marketing fluff.
7 Answers
We mainly use Chainguard for our base images, but you might find it helpful to pull images from different sources and apply your own SBOM predicates. Then you can run grype scans for validation and really streamline your process.
Have you looked into Red Hat? They’ve introduced some solid options for zero-CVE strategies that could really cut down on your manual work. Check out Project Hummingbird.
We switched to Minimus just last quarter after Chainguard became too expensive. Their daily rebuilds and signed SBOMs have saved us about 10 hours of manual validation each week and cut our package count down to just 20-30 per image. The transition was smoother than we expected!
It sounds like you guys are stuck in a tough spot! Honestly, you could automate your validation process pretty easily. It's a shame you're spending so much time on this when there's a way to streamline it. Just saying!
My company decided to bite the bullet and go with Chainguard after all. We're still early in the rollout, but it seems promising for us. Wiz and SUSE also offer similar base image solutions if you’re exploring options.
If you're mid-SOC 2, you might want to check us out. We're more affordable than Chainguard and offer flexibility without locking into our base OS.
Why not try automating SBOM generation with Syft and using Grype for validation? That could save you a ton of time!
We've found success using Echo for vulnerability-free images. But I totally get why some people might be skeptical about this type of recommendation.
I feel you. Sometimes it seems like people suggest automated fixes just to upsell something.