Using Clair, you can create services that continuously monitor container vulnerabilities. This type of service is especially important when organizations download container images directly. However, even when containers are built from source, vulnerabilities can creep in over time as new ones emerge.
2. Sigstore
sigstore is a non-profit, public benefit software signing service.
Properly securing your software supply chain involves more than just spot scanning as part of your DevSecOps CI/CD pipeline. Through a working partnership between Google, the Linux Foundation, Red Hat, and Purdue University, sigstore brings together a suite of tools from Fulcio, Cosign, and Rekor that can be used by developers, software maintainers, package managers, and security researchers. The service handles digital signatures, validates, and logs data for transparent audit trails, making it safer to distribute and use any signed software. The goal is to provide a free and transparent supply chain tracking service for everyone.
Cosign, 1.0 in July 2021, signs and verifies artifacts stored in Open Container Initiative (OCI) registries. It also includes base specifications for storing and discovering signatures.
Fulcio is the Root Certificate Authority for Code Signing certificates. It issues certificates based on an Open ID Connect (OIDC) email address. The certificates that Fulcio issues to clients so they can sign an artifact are short-lived. This allows users to sign things without having to worry about protecting their private key (or having to revoke it if it is compromised).
Rekor provides an immutable, tamper-resistant, transparent jordan mobile database and timestamp service, and generates metadata across the software supply chain. Software and build system maintainers can write signed metadata to an immutable record. Other parties can then query this metadata to make informed decisions about trust and non-repudiation for an object’s lifecycle.
3. KubeLinter
KubeLinter builds on the basic concept of vulnerability scanning. Traditional vulnerability scanning can be thought of as essentially unit testing. Containers, libraries, etc. are tested in isolation. Like unit tests, this is a valuable practice in itself, but there are additional benefits when scanning more complex integrated objects.
KubeLinter checks configurations against various best practices with a focus on production readiness and security. KubeLinter runs default checks designed to provide useful information about Kubernetes YAML files and Helm charts. This helps teams identify security misconfigurations and DevSecOps best practices. Common examples include running containers as a non-root user, using least privilege, and storing sensitive information only in secrets.