SESSION details

Name: Building the Software Supply Chain on Docker Official Images

Date/time: Thursday, October 5, 2023, 11:45 AM - 12:30 PM Pacific Time


Just as Docker revolutionized software development by making containers accessible to all developers, learn how Docker is reimagining securing the software supply chain (SSC) to make security the easy default for all developers. Docker is modernizing its toolchain, i.e., tools you use every day, to provide SSC security by default: software bill of materials (SBOMs), provenance, cryptographic signing, verification, and more. This talk will demonstrate the application of these principles and tools to the Docker Official Images (DOI) catalog. DOI form the foundation of much of the software running today. With billions of pulls from Docker Hub each month, DOI are a significant link in most teams’ software supply chains. Come and learn how Docker and BastionZero have leveraged open standards like The Update Framework (TUF) and Supply-Chain Levels for Software Artifacts (SLSA) along with a novel, decentralized signing approach that leverages modern cryptographic approaches including OpenPubkey to augment open source projects like BuildKit and the Docker CLI to incorporate SSC metadata and verification.