How to Implement FIPS 140-3 Containers Efficiently in CI/CD?

By
Isaac Ortega
-
0
7
Asked By TechieBear42 On

I'm facing a challenge with getting FIPS 140-3 validated container images into production without causing severe delays in our CI/CD pipeline. It's been quite a struggle. We see three main approaches, but they all have significant downsides:

1. Using standard open-source crypto modules is fast initially, but any drift leads to auditor issues.

2. Submitting our own module for lab validation takes too long—about 9 to 18 months and costs a fortune, so that's not an option.

3. Considering commercial managed validation options like Minimus or Chainguard is probably the least painful choice, but we still face issues every time there's a security update. We're frequently blocked for days as the operations team engages in endless paperwork and compliance checks.

Has anyone figured out how to efficiently ship validated containers at scale, say multiple times a week, without the team feeling burnt out? Thanks!

5 Answers

Answered By AuditorGuru88 On

What agency is giving you a hard time for CVEs that aren't fixed in Chainguard's standard SLA? Most critical CVEs tend to be addressed in a matter of days, and usually, I haven’t seen auditors react that swiftly.

Answered By DevOpsGoddess69 On

You might want to set up automated CI pipelines that only rebuild the application layer when updates occur. Integrating image scanning and compliance checks into the pipeline could work well. Also, using GitOps tools for deployment ensures you can ship frequently without waiting for total base-image validation each time. Just keep in mind, this can still lead to some bottlenecks.

Answered By CryptoNinja83 On

Dealing with FIPS can definitely be a headache. Going with commercial options like Chainguard might end up being your best bet, but it's still a hassle. You could consider automating parts of your CI/CD pipeline to ease delays, but there isn't any magic fix for this predicament.

Answered By ChainguardEmployee On

Just a note from Chainguard—our images are designed to be "kernel independent," so kernel updates shouldn't hold you back. A lot of OpenSSL CVEs actually fall "outside the FIPS boundary," meaning you won’t need to rush to update for every CVE. We typically provide updates before you're even aware one is necessary!

Answered By CuriousCoder101 On

I don’t have FIPS requirements yet, but I'm curious—could you use supported images from major providers like Red Hat or Oracle? This way, the burden of updating and certifying the base images could be passed on to those third parties with the right contracts in place.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.