Our security team has decided to stop using public container registries like Docker Hub due to supply chain concerns. We're currently managing over 200 microservices, and while I understand the risks, I want to know what realistic alternatives we have that won't significantly hinder our deployment speed. Should we consider setting up a private registry with curated base images, or is building our own from scratch a better option? Any suggestions that could help us maintain our workflow and satisfy the compliance requirements would be appreciated!
4 Answers
Rather than building everything from scratch, consider a hybrid approach—set up Harbor or Artifactory to mirror trusted public repositories. This way, you ensure availability of images and can apply your organization's security policies effectively.
You might want to look into using Harbor or Artifactory. Both can serve as private registries and help mitigate security risks while allowing you to manage your images effectively. With Harbor, you can set up proxy caching to pull images from public sources when needed and keep your own curated set, which might help with compliance without breaking your teams' workflows.
Exactly! Plus, with tools like Harbor, you can also integrate vulnerability scanning to ensure what you're pulling in is safe. It adds a layer of security without sacrificing speed.
Definitely look at using a private registry with curated base images. Tools like Minimus allow you to maintain build flexibility and give your developers freedom without compromising security standards. Just make sure your chosen solution integrates well into your existing workflow to minimize disruption.
That sounds like a great balance! The key here seems to be maintaining developer autonomy while ensuring security compliance without reinventing the wheel.
If you're on AWS, consider using ECR with a pull-through cache. This way, you can pull images from Docker Hub into your own ECR repository, benefiting from AWS's security measures. It simplifies compliance while you still maintain quick access to necessary images.
I've used ECR personally, and it's seamless! It handles caching well, which speeds things up in practice and helps avoid the rate limits typical with public registries.
Mirror strategy sounds smart! This could really help with those compliance pushbacks while still keeping your teams efficient.