Tag: cybersecurity
-
Authenticating with OCI Registries – GitHub Container Registry (GHCR) Implementation
Update 2024-03-04: Below, I mention that GHCR does not return proper scope in the www-authenticate header, which is not correct. GHCR returns the hint repository:user/image:pull only if no real repository is requested (e.g. for the /v2/ and _catalog endpoints). If I request an existing repository (e.g. toddysm/python) the scope is properly set as repository:toddysm/python:pull in…
-
What is a Container Image Quarantine Flag and How to Use it?
In my last post, Implementing Quarantine Pattern for Container Images, I wrote about how to implement a quarantine pattern for container images and how to use policies to prevent the deployment of an image that doesn’t meet certain criteria. In that post, I also mentioned that the quarantine flag (not to be confused with the…
-
Implementing Quarantine Pattern for Container Images
One important step in securing the supply chain for containers is preventing the use of “bad” images. I intentionally use the word “bad” here. For one enterprise, “bad” may mean “vulnerable”; for another, it may mean containing software with an unapproved license; for a third, it may be an image with a questionable signature; possibilities…
-
Addressing the Current Challenges of Patching Container Vulnerabilities
While working on a process of improving the container secure supply chain, I often need to go over the current challenges of patching container vulnerabilities. With the introduction of Automatic VM Patching, having those conversations are even more challenging because there is always the question: “Why can’t we patch containers the same way we patch…