Welcome to my home page
This is the place where I publish articles about my findings and progress in the awesome world of technology and beyond! Also, check out my projects or get in touch.
My latest articles //
I present an MCP server that looks up the latest stable version of tools and packages/dependencies for Docker, Helm, GitHub Actions, NPM, PyPI, NuGet, Maven/Gradle, Go, PHP, Ruby, Rust, Swift, and Dart. This article explains how to add the “lprobe” CLI tool to your container image, which executes health checks/probes triggered by the Docker daemon. In contrast to curl or other alternatives, lprobe is safe because it can only connect to localhost. It supports TCP and HTTP health checks. This article discusses 8 selection criteria for container images, why they matter, and how to evaluate them. It explains why the minimal image criterion implicitly satisfies all other 7 criteria. Finally, the selection criteria are applied to a concrete example to find the best NGINX image. This article explains how you can build your own minimal images using the CLI tools apko (Chainguard/WolfiOS), Chisel CLI (Ubuntu Chiseled), and Marinara (Azure Linux). This article provides an overview of free and open-source minimal container images for bare Linuxes (into which you would copy native binaries compiled with C/C++, Go, or Rust), PHP, Python, Java, C#, and Node.js, from the image vendors Google distroless, Chainguard, Ubuntu, and Azure Linux. It explains why minimal images matter, how they are defined, and their general pros and cons. This article discusses why container image vulnerability scanners, like Trivy, often produce false positives and negatives. It outlines the resulting issues and provides specific examples of these inaccuracies. Additionally, an analysis of eight popular Docker Hub images reveals that Trivy’s open-source version rarely detects the tested CVEs in the image’s primary component compared to Grype. This article explains the best Docker registry tools for browsing registries/images and manipulating/copying images. It comes with elaborate feature comparison tables. I also explain use cases that illustrate why and when you should use these tools. The analyzed tools include Skopeo, Regctl, ORAS CLI, crane, and many others. Finally, I provide a list of temporary registries you can use as… This article takes a detailed look at BuildKit‘s attestation feature, one of several options for creating and verifying attestations for Docker images. Introduction BuildKit, the image builder used under the hood by “docker build”, can create attestations for the Docker image that it builds, uploading these attestations to the image registry (as JSON manifests) as part of the manifest of… This article takes a detailed look at GitHub’s attestation feature, one of several options for creating and verifying attestations for Docker images and files. This article takes a detailed look at Cosign, one of several tools for creating and verifying Docker images and adding attestations such as build provenance.
MCP server for up-to-date dependencies
Secure health checks for minimal container images
Container image security part 4: Choosing the best container image
Container image security part 3: Building custom minimal container images
Container image security part 2: Minimal images
Container image security part 1: Fallacies of image scanners
The 9 best Docker registry tools
Docker image attestation with BuildKit and its caveats
Docker Image attestation with GitHub attestations
Docker Image signing and attestation with Cosign