Nerd Level Tech logo
|
Lesson 20 of 24

Container & Kubernetes Security

Supply Chain Security

4 min read

Software supply chain attacks increased 742% from 2019-2022. Securing the container build pipeline—from source code to production—is critical for preventing compromise of cloud-native applications.

Supply Chain Attack Vectors

Attack Surface

┌─────────────────────────────────────────────────────┐
│              Software Supply Chain                   │
├─────────────────────────────────────────────────────┤
│  Source Code → Build → Package → Deploy → Runtime   │
│      │           │        │         │         │     │
│   Malicious   Compromised Base   Unsigned   Drift   │
│   Commits     CI/CD      Images   Images            │
└─────────────────────────────────────────────────────┘
Stage Attack Vector Example
Source Malicious dependency PyPI typosquatting
Build Compromised CI/CD SolarWinds (2020)
Package Vulnerable base image Log4Shell in containers
Deploy Unsigned images Man-in-the-middle injection
Runtime Configuration drift Kubernetes misconfig

Software Bill of Materials (SBOM)

Why SBOM Matters

  • US Executive Order 14028 mandates SBOM for federal suppliers
  • Enables rapid vulnerability response (Log4Shell response)
  • Required for compliance (FedRAMP, SOC2)

Generating SBOM

Syft - SBOM generator:

# Generate SBOM from container image
syft myapp:latest -o spdx-json > sbom.spdx.json

# Generate CycloneDX format
syft myapp:latest -o cyclonedx-json > sbom.cdx.json

# Scan filesystem
syft dir:/path/to/project -o spdx-json > sbom.spdx.json

Trivy - Combined scanning + SBOM:

# Generate SBOM
trivy image --format spdx-json -o sbom.json myapp:latest

# Scan existing SBOM for vulnerabilities
trivy sbom sbom.json

SBOM Example (CycloneDX)

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "components": [
    {
      "type": "library",
      "name": "express",
      "version": "4.18.2",
      "purl": "pkg:npm/express@4.18.2"
    },
    {
      "type": "library",
      "name": "lodash",
      "version": "4.17.21",
      "purl": "pkg:npm/lodash@4.17.21"
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:npm/express@4.18.2",
      "dependsOn": ["pkg:npm/body-parser@1.20.0"]
    }
  ]
}

Image Signing and Verification

Cosign Workflow

# Generate signing keys
cosign generate-key-pair

# Sign image after build
cosign sign --key cosign.key gcr.io/project/myapp:v1.0.0

# Verify before deployment
cosign verify --key cosign.pub gcr.io/project/myapp:v1.0.0

Keyless Signing with Sigstore

# Sign with OIDC identity (no key management)
cosign sign gcr.io/project/myapp:v1.0.0

# Verify with certificate identity
cosign verify \
  --certificate-identity developer@company.com \
  --certificate-oidc-issuer https://accounts.google.com \
  gcr.io/project/myapp:v1.0.0

Enforcing Signed Images in Kubernetes

Kyverno policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-image-signatures
spec:
  validationFailureAction: Enforce
  background: false
  rules:
  - name: verify-signature
    match:
      any:
      - resources:
          kinds:
          - Pod
    verifyImages:
    - imageReferences:
      - "gcr.io/project/*"
      attestors:
      - entries:
        - keyless:
            subject: "*@company.com"
            issuer: https://accounts.google.com

Secure CI/CD Pipeline

Pipeline Security Best Practices

# GitHub Actions secure pipeline
name: Secure Build

on:
  push:
    branches: [main]

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write  # For keyless signing
      packages: write

    steps:
    - uses: actions/checkout@v4

    # Dependency scanning
    - name: Scan dependencies
      uses: snyk/actions/node@master
      with:
        args: --severity-threshold=high

    # Build with minimal base
    - name: Build image
      run: |
        docker build -t myapp:${{ github.sha }} \
          --build-arg VERSION=${{ github.sha }} .

    # Vulnerability scan
    - name: Scan image
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: myapp:${{ github.sha }}
        exit-code: 1
        severity: CRITICAL,HIGH

    # Generate SBOM
    - name: Generate SBOM
      uses: anchore/sbom-action@v0
      with:
        image: myapp:${{ github.sha }}
        output-file: sbom.spdx.json

    # Sign image
    - name: Sign image
      uses: sigstore/cosign-installer@main
    - run: |
        cosign sign --yes gcr.io/project/myapp:${{ github.sha }}

    # Push to registry
    - name: Push image
      run: |
        docker push gcr.io/project/myapp:${{ github.sha }}

Build Environment Security

Control Implementation
Ephemeral runners Fresh environment each build
Minimal permissions OIDC tokens, not long-lived secrets
Dependency pinning Lock files, hash verification
Build attestation SLSA provenance
Artifact signing Cosign/Sigstore

SLSA Framework

SLSA Levels

Level Requirements Protection
SLSA 1 Documentation None (baseline)
SLSA 2 Hosted build, signed provenance Simple tampering
SLSA 3 Hardened builds, non-falsifiable Build compromise
SLSA 4 Hermetic builds, 2-person review Insider threats

Generating SLSA Provenance

# GitHub Actions SLSA generator
- uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
  with:
    image: gcr.io/project/myapp
    digest: ${{ needs.build.outputs.digest }}
  secrets:
    registry-username: ${{ secrets.REGISTRY_USERNAME }}
    registry-password: ${{ secrets.REGISTRY_PASSWORD }}

Vulnerability Management

Continuous Scanning Strategy

┌────────────────────────────────────────────────────┐
│            Continuous Vulnerability Scanning        │
├────────────────────────────────────────────────────┤
│  Developer   │  CI/CD    │  Registry  │  Runtime   │
│  IDE scan    │  Build    │  Storage   │  Runtime   │
│  Pre-commit  │  gate     │  scan      │  scan      │
│              │           │            │            │
│  Shift-left  │  Gate     │  Discover  │  Detect    │
└────────────────────────────────────────────────────┘

Cloud Registry Scanning

# AWS ECR - enable scanning
aws ecr put-image-scanning-configuration \
    --repository-name myapp \
    --image-scanning-configuration scanOnPush=true

# Get scan findings
aws ecr describe-image-scan-findings \
    --repository-name myapp \
    --image-id imageTag=latest

# GCP - Artifact Analysis
gcloud artifacts docker images scan \
    us-central1-docker.pkg.dev/project/repo/myapp:latest \
    --format=json

# Azure ACR
az acr repository show-manifests \
    --name myregistry \
    --repository myapp \
    --detail

Supply Chain Security Checklist

Control Tool Stage
Dependency scanning Snyk, Dependabot Source
SAST Semgrep, SonarQube Build
Container scanning Trivy, Grype Build/Registry
SBOM generation Syft, Trivy Build
Image signing Cosign Build
Signature verification Kyverno, Gatekeeper Deploy
Runtime scanning Falco, cloud-native Runtime

Next module: Cloud pentesting techniques and security assessment methodologies. :::

Quiz

Module 5: Container & Kubernetes Security

Take Quiz