February 1-2, 2023 | Seattle, WA
View More Details | Registration Information

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for CloudNativeSecurityCon North America 2023 to participate in these sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Pacific Standard Time (PST), UTC -8. To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

The schedule is subject to change.
Back To Schedule
Thursday, February 2 • 1:55pm - 2:30pm
Spicing up Container Image Security with SLSA & GUAC - Ian Lewis, Google

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Understanding and verifying the content of images that you deploy in production environments is difficult and error prone. Images could be built in an insecure environment, by a malicious actor, or include dependencies that are insecure. Users often don't have enough information to determine if images are trustworthy. Two new tools can help; Supply chain Levels for Software Artifacts (SLSA), and Graph for Understanding Artifact Composition (GUAC). In this talk attendees will learn how to add SLSA provenance metadata to their container images and strongly link images back to their source code on multiple build systems including GitHub Actions and Google Cloud Build. We will also cover how to verify images and their metadata before use; both when running locally and when running images in Kubernetes. Using policy engines like Kyverno and Sigstore policy-controller we can verify an image's source code repository, builder identity, build entry points, and more to protect production environments from malicious images. Finally we'll discuss how to understand your image's supply chain using GUAC. We'll discuss how we can combine SLSA with GUAC to better understand the contents and build provenance of your images from the base layers on down.

avatar for Ian Lewis

Ian Lewis

Developer Relations Engineer, Google
Ian is an engineer at Google working on Supply Chain Security. Ian has been living in Tokyo since 2006 and has had various developer and operations roles throughout his career while staying active in the open-source developer community. Ian is a contributor to the SLSA framework and... Read More →

Thursday February 2, 2023 1:55pm - 2:30pm PST
Room 606/607
  Supply Chains