This article explains the best Docker registry tools for browsing registries/images and manipulating/copying images. It comes with elaborate feature comparison tables. I also explain use cases that illustrate why and when you should use these tools. The analyzed tools include Skopeo, Regctl, ORAS CLI, crane, and many others. Finally, I provide a list of temporary … Read more
This article takes a detailed look at BuildKit‘s attestation feature, one of several options for creating and verifying attestations for Docker images. Introduction BuildKit, the image builder used under the hood by “docker build”, can create attestations for the Docker image that it builds, uploading these attestations to the image registry (as JSON manifests) as … Read more
This article takes a detailed look at GitHub’s attestation feature, one of several options for creating and verifying attestations for Docker images and files.
This article takes a detailed look at Cosign, one of several tools for creating and verifying Docker images and adding attestations such as build provenance.
This article takes a detailed look at image signatures created by Notation, which is one of several tools to create and verify Docker images.
This article provides an overview of available options to a) sign and verify Docker/container images and b) create image attestations. It compares the tools Docker Content Trust, BuildKit attestations, Notation, Cosign, and GitHub attestations. The basic terms and concepts are explained, and it concludes with recommendations for which tool is most suitable per use case.
For developers who directly call the Docker Hub APIs, this article sheds light on how Docker Hub handles rate limiting, particularly for HEAD requests. Here, the behavior differs in unexpected ways from the well-known image pull rate limits.
This article explains how to use my open-source Docker Tag Monitor website to determine how frequently the maintainers of a Docker image rebuild specific image version tags. It also explains why the image rebuild frequency matters when choosing the best (base) image.
This article benchmarks the performance of two different Python frameworks (Django, FastAPI) and a Go framework (Pocketbase), when making GET requests that serialize 20 simple JSON objects from a relational database (SQLite, PostgreSQL). The results show that Go/Pocketbase is only about twice as fast as Python/FastAPI, which is surprising, given that Go is generally considered … Read more
This article introduces 12 tips to optimize your Docker image security. For each tip, it explains the underlying attack vector, and one or more mitigation approaches. Tips include avoiding leaking of build secrets, running as non-root user, or how to make sure to use the most recent dependencies and updates. Originally posted on 2022-02-20, updated … Read more