大规模构建零 CVE 容器镜像：模式与陷阱（由 Chainguard 赞助）.pdf

1、Building Zero-CVE Container Images at ScaleDale RodriguezSr.Solutions EngineerMAM 215-SHello,Im DaleSr.Happiness EngineerCertified Vuln Hustler10+years focused on security,product and solutions engineering7 years focusing on cloud native securitySr.Solutions Engineer ChainguardLinkedin-https:/ are w

2、e even here?Whats a Chainguard?No one buys the factory.We sell images(and more)In fact,all the tools are open source!-Melange- of)Terraform providers- is no magic to“0 CVEs”There is a lot ofAutomationDebuggingCloud compute costsTestingJoyQuestioning ones sanityFunny thing how“open source malware”isn

3、t that commonBuild from sourceDepth provides defense.Depth allows everyone to understandthe risk.Depth mitigates uncertainty.https:/www.ntia.gov/page/software-bill-materialshttps:/www.chainguard.dev/unchained/unchained-this-shit-is-hard-applying-zero-trust-to-open-source-softwareBuild from source fr

4、om source from source With safe compiler optionsLooking at upstream projectsSome languages arent compiledSome use memory-safe languagesSome have a lot of safety built in and some are C or C+We recompile with safe(r)options to further reduce vulnerabilities.https:/best.openssf.org/Compiler-Hardening-

5、Guides/Compiler-Options-Hardening-Guide-for-C-and-C+.htmlhttps:/www.chainguard.dev/unchained/this-shit-is-hard-hardening-glibcWhat is the Chainguard Factory?Everyones favorite analogy.at a high level.UpstreamOSS projectsPackage BuildPackage RepositoryUpdate AutomationCVE Remediation AutomationImage

6、BuildImagepackage-1.2.3-r4.apkother-3.4.5-r6.apkone-more-5.6.7-r8.apkImage TestImage RepositoryPackage/usr/bin/foo/usr/lib/libfoo.so.4/var/lib/config.toml.The assembly lineThe central line running down the middle of the factoryEverything touches the assembly lineKeeping it moving is critically impor