Inspecting and manipulating Docker images
- Dive: https://github.com/wagoodman/dive
- Crane: https://github.com/google/go-containerregistry/tree/main/cmd/crane
- ORAS: https://github.com/oras-project/oras
- Skopeo: https://github.com/containers/skopeo
Articles:
-
https://www.tutorialworks.com/difference-docker-containerd-runc-crio-oci/
-
https://dlorenc.medium.com/oci-artifacts-explained-8f4a77945c13
-
https://itnext.io/reverse-engineer-docker-images-into-dockerfiles-453d3d21d896
-
https://containers.gitbook.io/build-containers-the-hard-way/
-
http://jpetazzo.github.io/2017/02/24/from-dotcloud-to-docker/
-
https://www.nginx.com/blog/what-are-namespaces-cgroups-how-do-they-work/
-
DockerHub OCI Artifact support: https://www.docker.com/blog/announcing-docker-hub-oci-artifacts-support/
Using Taskfiles for local pipelines
- Task: https://taskfile.dev/#/
- https://dev.to/stack-labs/introduction-to-taskfile-a-makefile-alternative-h92
Building curated Docker images
- https://github.com/codepraxis-io/curated-docker-images
- https://github.com/orgs/codepraxis-io/packages/container/package/ubuntu22.04
- https://github.com/orgs/codepraxis-io/packages/container/package/alpine3.16
Building a Java SpringBoot app and creating Docker images based on various base images
Dockerfiles
Java SpringBoot / Gradle app:
Java SpringBoot / Maven app:
Python Flask app:
Docker images available to use as base images
- Distroless: https://github.com/GoogleContainerTools/distroless
- Distroless vs alpine: https://itnext.io/which-container-images-to-use-distroless-or-alpine-96e3dab43a22
Docker image build mechanisms
- Docker Buildx: https://github.com/docker/buildx
- Kaniko: https://github.com/GoogleContainerTools/kaniko
- Cloud Native Buildpacks: https://buildpacks.io/
- Containerd/nerdctl: https://github.com/containerd/nerdctl
- Podman https://github.com/containers/podman
- Jib: https://github.com/GoogleContainerTools/jib
Other resources
- Earthly https://earthly.dev
- https://jpetazzo.github.io/2020/02/01/quest-minimal-docker-images-part-1/
- https://blog.kubesimplify.com/the-secret-gems-behind-building-container-images-enter-buildkit-and-docker-buildx
- https://ashishtechmill.com/comparing-modern-day-container-image-builders-jib-buildpacks-and-docker
- https://medium.com/geekculture/create-docker-images-without-docker-daemon-kaniko-847a688155a6
Creating a new SpringBoot application: https://start.spring.io/
Go ecosystem:
- Ko: https://github.com/ko-build/ko
- goreleaser: https://github.com/goreleaser/goreleaser
- goreleaser supply chain example: https://github.com/goreleaser/supply-chain-example
- podinfo: https://github.com/stefanprodan/podinfo
Kubernetes-in-a-box
- KIND: https://kind.sigs.k8s.io/
- Running a local Docker registry in kind: https://kind.sigs.k8s.io/docs/user/private-registries/
- microk8s: https://microk8s.io/
Vulnerability databases
- "Common Vulnerabilities and Exposures" aka CVE: https://cve.mitre.org/cve/search_cve_list.html
- "National Vulnerability Database" aka NVD: https://nvd.nist.gov/
Google Security ecosystem
- https://deps.dev/
- https://security.googleblog.com/2023/04/announcing-depsdev-api-critical.html
- https://osv.dev/
- https://github.com/google/osv-scanner
Scanning Dockerfiles for security vulnerabilities
- Hadolint: https://github.com/hadolint/hadolint
- Semgrep: https://semgrep.dev/docs/
Scanning Docker images for security vulnerabilities
- Trivy: https://github.com/aquasecurity/trivy
- Grype: https://github.com/anchore/grype
- SARIF format: https://sarifweb.azurewebsites.net/
Generating SBOMs from Docker images
- Syft: https://github.com/anchore/syft
- Syft and Grype: https://medium.com/rahasak/container-vulnerability-scan-with-syft-and-grype-f4ec9cd4d7f1
Generating CycloneDX and SPDX SBOMs from code
- CycloneDX https://github.com/CycloneDX/cyclonedx-python
- SPDX
More SBOM resources
- https://owasp.org/www-project-dependency-track/
- https://cyclonedx.org/tool-center/
- https://spdx.dev/tools-community/
- https://sysdig.com/blog/sbom-101-software-bill-of-materials
- https://mergebase.com/blog/best-tools-for-generating-sbom/
- https://github.com/opensbom-generator/spdx-sbom-generator
- https://pedrodelgallego.github.io/blog/engineering/capabilities/security/software-bill-of-materials-devsecops/
- https://github.com/IBM/sbom-utility
- https://paketo.io/docs/howto/sbom/#access-the-software-bill-of-materials-on-a-sample-application
Sigstore tools
- Cosign: https://github.com/sigstore/cosign
- Keyless signing with GitHub Actions:
- https://www.chainguard.dev/unchained/zero-friction-keyless-signing-with-github-actions
- https://github.com/codepraxis-io/keyless-cosign
- Python sigstore module:
- https://github.com/sigstore/sigstore-python
- https://www.python.org/download/sigstore/
- https://blog.trailofbits.com/2022/11/08/sigstore-code-signing-verification-software-supply-chain/
Attesting artifacts
- in-toto: https://in-toto.io/
- https://anchore.com/sbom/creating-sbom-attestations-using-syft-and-sigstore/
- OCI as attestations storage for your packages: https://nextjs.marcofranssen.nl/oci-as-attestations-storage-for-your-packages
Chainguard ecosystem
- Wolfi: https://github.com/wolfi-dev/os
- Apko: https://github.com/chainguard-dev/apko
- Melange: https://github.com/chainguard-dev/melange
GitHub Actions Reusable Workflows
- Reusable workflows and reusable actions
- Types of triggers (branch, tag, release)
- https://docs.github.com/en/actions/using-workflows/reusing-workflows
- https://betterprogramming.pub/how-to-use-github-actions-reusable-workflow-8604e8cbf258
Safeguarding artifact integrity (SLSA)
- SLSA: https://slsa.dev/
- SLSA levels: https://slsa.dev/spec/v1.0/levels
- SLSA guide: https://fossa.com/blog/practical-guide-slsa-framework/
- SLSA GitHub generator: https://github.com/slsa-framework/slsa-github-generator
- SLSA verifier: https://github.com/slsa-framework/slsa-verifier
- SLSA and in-toto: http://slsa.dev/blog/2023/05/in-toto-and-slsa
- SLSA and node.js: http://slsa.dev/blog/2023/05/bringing-improved-supply-chain-security-to-the-nodejs-ecosystem
- Google Distroless achieves SLSA level 2: https://www.infoq.com/news/2022/10/distroless-slsa-level-two/
- VEX: https://cloud.google.com/blog/products/identity-security/how-vex-helps-sbomslsa-improve-supply-chain-visibility
- SLSA and GUAC: https://github.com/guacsec/guac
- https://slsa.dev/blog/2022/08/slsa-github-workflows-generic-ga
- https://slsa.dev/blog/2022/05/slsa-sbom
GitHub Actions and SLSA
- Generation of SLSA3+ provenance for native GitHub projects: https://github.com/slsa-framework/slsa-github-generator
- https://security.googleblog.com/2022/04/improving-software-supply-chain.html
- https://github.com/slsa-framework/github-actions-demo
- https://marcofranssen.nl/secure-your-software-supply-chain-using-sigstore-and-github-actions
- https://github.com/philips-labs/slsa-provenance-action
- Example of using SLSA GitHub Action Workflows: https://github.com/codepraxis-io/katana
- Microsoft's Open Source Software (OSS) Secure Supply Chain (SSC) Framework: https://github.com/microsoft/oss-ssc-framework
- Running Dependency Track for inspecting SBOMs: https://dependencytrack.org/
- Kyverno policies for allowing only signed images to run in kind: https://kyverno.io/docs/writing-policies/verify-images/
- Carvel suite of tools: https://carvel.dev/
- Build reproducibility: https://buildpacks.io/docs/features/reproducibility/
- CNI: https://medium.com/geekculture/k8s-network-cni-introduction-b035d42ad68f
- DevSecOps with GitHub security: https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-in-github