I'm looking for container images that ensure high transparency in our environment. Every container image we deploy must be traceable and verifiable, which means we require features like signed provenance and tamper-proof Software Bill of Materials (SBOMs), as well as straightforward exports for audits. The standard process of building images locally and then generating SBOMs is feeling too unreliable and manual, increasing the chance for mistakes. Ideally, I'd like to find ready-made, minimal container images that come with signed SBOMs and provenance data. Integration with our CI/CD pipeline would be a huge plus, as it would help speed up our compliance audits. Any suggestions?
1 Answer
A lot of companies maintain their own base images and handle signing and SBOMs within a robust CI process. For example, we use Gitlab CI with our signing keys stored securely in Vault. This way, the signing step occurs after the build step, ensuring the build process doesn't interact directly with the signing keys. There’s also a method called 'Keyless Signing' that you could explore!
Good point about the workflow with CI! Just be aware that some comment counts might be inaccurate due to automation removing posts that seem spammy or violate site rules.