Supply Chain Security Overview
Container supply chain security ensures that the code and dependencies in your container images are verified and trustworthy. It covers vulnerability scanning, image signing, SBOM generation, CI/CD pipeline security, and artifact verification.
💡 Key Insight: A container is only as secure as its weakest dependency.
Supply chain attacks are increasingly targeting container ecosystems.
Vulnerability Scanning
Container Image Scanning Tools
| Tool | Features |
|---|---|
| Trivy | Fast, comprehensive vulnerability scanning for images, config, code |
| Grype | SBOM-based vulnerability detection |
| Aqua Microscanner | Container image scanning in build pipelines |
| Snyk | Developer-focused vulnerability scanning and remediation |
| Anchore | Policy-based image scanning and compliance |
Scan with Trivy
# Scan image for vulnerabilities
trivy image myregistry.azurecr.io/myapp:latest
# Scan with output format
trivy image --format json myapp:latest
# Scan source code
trivy fs .
Scanning in CI/CD
- Scan images before pushing to registry
- Block deployment of high-severity vulnerabilities
- Generate SBOM during build
- Track vulnerability history
Image Signing with Cosign
Cosign Overview
Cosign enables container image signing and verification using cryptographic signatures:
- Sign images with private keys
- Verify signatures using public keys
- Store signatures in registry
- Enforce signature verification at deployment
Sign an Image
# Generate keys (one-time)
cosign generate-key-pair
# Sign image
cosign sign --key cosign.key myregistry.azurecr.io/myapp:latest
# Verify signature
cosign verify --key cosign.pub myregistry.azurecr.io/myapp:latest
Enforce Signature Verification
Use admission controllers to require signed images:
- Sigstore/Cosign: Native signature verification
- Notary: Docker notary for image signing
- OPA/Gatekeeper: Policy enforcement for signatures
SBOM (Software Bill of Materials)
What is SBOM?
A complete inventory of all software components and dependencies in an image:
- Operating system packages
- Application libraries and frameworks
- License information
- Vulnerability metadata
Generate SBOM
# Generate with Syft
syft myregistry.azurecr.io/myapp:latest -o json > sbom.json
# Generate with Trivy
trivy image --format sbom --output sbom.spdx myapp:latest
# Sign SBOM with Cosign
cosign attach sbom --sbom sbom.spdx myregistry.azurecr.io/myapp:latest
SBOM Benefits
- Complete visibility into dependencies
- Faster vulnerability tracking
- License compliance verification
- Supply chain transparency
⚠️ Important: SBOM helps track vulnerabilities but doesn't prevent attacks.
Combine with other controls like image signing and vulnerability scanning.
CI/CD Pipeline Hardening
Secure Build Pipeline
- Source Code: Scan code for secrets, vulnerabilities
- Dependencies: Verify dependency versions, licenses
- Build: Use minimal base images, validate checksums
- Test: Run security tests, SAST, DAST
- Scan: Scan final image for vulnerabilities
- Sign: Sign image and generate SBOM
- Push: Push only to trusted registries
Example GitHub Actions Workflow
name: Secure Build
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Trivy scan
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:${{ github.sha }}
- name: Sign image with Cosign
run: cosign sign --key ${{ secrets.COSIGN_KEY }} myregistry.azurecr.io/myapp:latest
Pipeline Best Practices
- Automate all security checks
- Fail builds on high-severity vulnerabilities
- Require code reviews before merge
- Sign all production images
- Generate SBOM for all images
- Track image provenance
Supply Chain Security Checklist
- ✓ Scan all base images before use
- ✓ Use minimal base images (Alpine, Distroless)
- ✓ Scan images during build process
- ✓ Generate SBOM for all images
- ✓ Sign production images with Cosign
- ✓ Enforce signature verification at deployment
- ✓ Scan source code and dependencies
- ✓ Use secure registries only
- ✓ Implement image retention policies
- ✓ Track image provenance and audit trails
Recommended Tools Stack
- Code Scanning: SonarQube, Snyk, GitHub CodeQL
- Dependency Checking: Dependabot, WhiteSource
- Image Scanning: Trivy, Aqua Microscanner
- SBOM Generation: Syft, Trivy
- Image Signing: Cosign, Notary
- Registry: Docker Hub, ECR, ACR, Harbor
- Policy Enforcement: OPA/Gatekeeper, Kyverno