Container image security part 3: Building custom minimal container images
This article explains how you can build your own minimal images using the CLI tools apko (Chainguard/WolfiOS), Chisel CLI (Ubuntu Chiseled), and Marinara (Azure Linux).
Marius
Container image security part 2: Minimal images
This article provides an overview of free and open-source minimal container images for bare Linuxes (into which you would copy native binaries compiled with C/C++, Go, or Rust), PHP, Python, Java, C#, and Node.js, from the image vendors Google distroless, Chainguard, Ubuntu, and Azure Linux. It explains why minimal images matter, how they are defined, and their general pros and cons.
Container image security part 1: Fallacies of image scanners
This article discusses why container image vulnerability scanners, like Trivy, often produce false positives and negatives. It outlines the resulting issues and provides specific examples of these inaccuracies. Additionally, an analysis of eight popular Docker Hub images reveals that Trivy’s open-source version rarely detects the tested CVEs in the image’s primary component compared to Grype.
The 9 best Docker registry tools
This article explains the best Docker registry tools for browsing registries/images and manipulating/copying images. It comes with elaborate feature comparison tables. I also explain use cases that illustrate why and when you should use these tools. The analyzed tools include Skopeo, Regctl, ORAS CLI, crane, and many others. Finally, I provide a list of temporary … Read more
Docker image attestation with BuildKit and its caveats
This article takes a detailed look at BuildKit‘s attestation feature, one of several options for creating and verifying attestations for Docker images. Introduction BuildKit, the image builder used under the hood by “docker build”, can create attestations for the Docker image that it builds, uploading these attestations to the image registry (as JSON manifests) as … Read more
Docker Image attestation with GitHub attestations
This article takes a detailed look at GitHub’s attestation feature, one of several options for creating and verifying attestations for Docker images and files.
Docker Image signing and attestation with Cosign
This article takes a detailed look at Cosign, one of several tools for creating and verifying Docker images and adding attestations such as build provenance.
Docker Image signing with Notation
This article takes a detailed look at image signatures created by Notation, which is one of several tools to create and verify Docker images.
Docker Image signing and attestation – overview of the 5 best tools
This article provides an overview of available options to a) sign and verify Docker/container images and b) create image attestations. It compares the tools Docker Content Trust, BuildKit attestations, Notation, Cosign, and GitHub attestations. The basic terms and concepts are explained, and it concludes with recommendations for which tool is most suitable per use case.
Are full stack web frameworks worth it?
Full stack web frameworks, like Reflex (Python) or Vaadin (Java), enable backend-focused developers to build web applications, including the frontend UI, using a backend language like Java. These frameworks include a (large) UI component library and require no knowledge of frontend technologies. However, using such frameworks comes with major caveats that should give you pause … Read more