Deutsch
Dieser Vortrag wird auf Deutsch gehalten. / This Talk will be held in German.
Marius Shekow
is a DevOps and Cloud-Engineer at SprintEins, Bonn. He is responsible for all cloud-related Software Engineering Practices, such as Continuous Integration, Continuous Delivery & Deployment (CI/CD), Testing, and Infrastructure as Code.
Dieser Vortrag wird auf Deutsch gehalten. / This Talk will be held in German.
Modern software supply chains are a great target for attackers, including Docker/container images. If you pull a tampered image, you may run malware in production.
This talk introduces supply chain security and shows how cryptographic signing and attestations strengthen trust in container artifacts, addressing 4 out of 8 SLSA supply chain threats. It compares Docker/BuildKit attestations, Notation, Cosign, and GitHub attestations, explains when to use each, and demystifies formats such as in-toto attestations and trust policies.
You’ll leave with practical guidance to start signing, attesting, and verifying artifacts in your own pipelines, Docker, and Kubernetes.
Basic understanding of how Docker and container images work. Attendees should also have prior experience with running/operating containers, either with Docker (compose) or Kubernetes.
Attendees learn the basics of supply chain security, why signatures and attestations help prevent several attack vectors, and how the different sign/attest-implementations work under the hood. They learn the concrete steps and concepts involved when signing and verifying software artifacts (or creating attestations), as well as the pros and cons of each tool.
Marius Shekow
is a DevOps and Cloud-Engineer at SprintEins, Bonn. He is responsible for all cloud-related Software Engineering Practices, such as Continuous Integration, Continuous Delivery & Deployment (CI/CD), Testing, and Infrastructure as Code.