Final slides for 20230517

Author: nicholasdille

060_security/11_artifacts/slides.md

@@ -15,7 +15,7 @@ Distribution spec 1.1.0-rc.2 [](https://github.com/opencontainers/distribution-s
 
 Referrers add relationships between digests
 
-Implementations: [regclient](https://github.com/regclient/regclient/blob/main/docs/regctl.md#artifact-commands), [trivy](https://github.com/aquasecurity/trivy-plugin-referrer), [oras](https://oras.land/docs/cli/reference_types/#discovering-artifact-references), [distribution](https://github.com/oras-project/distribution)
+Implementations: [regclient](https://github.com/regclient/regclient/blob/main/docs/regctl.md#artifact-commands), [trivy](https://github.com/aquasecurity/trivy-plugin-referrer), [oras](https://oras.land/docs/cli/reference_types/#discovering-artifact-references), [distribution](https://github.com/oras-project/distribution), cosign [](https://github.com/sigstore/cosign/blob/v2.0.2/doc/cosign_sign.md?plain=1#L94)
 
 ---
 

120_kubernetes/kyverno/cosign.md

@@ -1,6 +1,6 @@
 ## Kyverno for Cosign
 
-Kyverno can verfiy image signatures
+Kyverno can verify image signatures
 
 Select images using wildcards
 

170_supply_chain_security/activity.md

@@ -24,7 +24,7 @@ scorecard --repo=github.com/moby/moby
 
 ## Scorecard data
 
-One million critical open source projects are scanned weekls [](https://github.com/ossf/scorecard#public-data)
+One million critical open source projects are scanned weekly [](https://github.com/ossf/scorecard#public-data)
 
 Data is shared publicly
 

170_supply_chain_security/approaches.md

@@ -10,7 +10,7 @@ Automated dependency updates
 
 Generate a Software Bill of Materials (SBoM)
 
-Scan for vulnerabilities
+Scan for vulnerabilities and audit
 
 Scan for license compliance
 

170_supply_chain_security/cosign/cosign.demo

@@ -28,4 +28,15 @@ https://search.sigstore.dev/
 # Verify signature
 EMAIL=???
 COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/nicholasdille/container-slides/ubuntu:22.04 --certificate-oidc-issuer https://github.com/login/oauth --cer
-tificate-identity ${EMAIL}
+tificate-identity ${EMAIL}
+
+# Sign arbitrary artifact
+curl -sLO https://github.com/aquasecurity/trivy/releases/download/v0.41.0/trivy_0.41.0_Linux-64bit.tar.gz
+curl -sLO https://github.com/aquasecurity/trivy/releases/download/v0.41.0/trivy_0.41.0_Linux-64bit.tar.gz.pem
+curl -sLO https://github.com/aquasecurity/trivy/releases/download/v0.41.0/trivy_0.41.0_Linux-64bit.tar.gz.sig
+COSIGN_EXPERIMENTAL=1 cosign verify-blob trivy_0.41.0_Linux-64bit.tar.gz \
+    --certificate trivy_0.41.0_Linux-64bit.tar.gz.pem \
+    --signature trivy_0.41.0_Linux-64bit.tar.gz.sig \
+    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+    --certificate-identity-regexp 'https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/v*' \
+    --certificate-github-workflow-repository aquasecurity/trivy

170_supply_chain_security/docker-scout.md

@@ -1,3 +1,7 @@
 ## Docker Scout
 
-XXX
+XXX https://docs.docker.com/scout/
+
+XXX https://docs.docker.com/engine/reference/commandline/scout_cves/
+
+XXX recommendations

170_supply_chain_security/sbom/sbom.demo

@@ -7,7 +7,7 @@ docker-setup --tools=docker,buildx,docker-compose,kind,helm,kubectl,gvisor,cosig
 syft packages aquasec/trivy:0.34.0 --file trivy.json --output cyclonedx-json
 
 # Generate SBoM of alpine 3.16
-syft packages alpine:3.16 --file alpine-3.16.json --output cyclonedx-json
+syft packages alpine:3.18 --file alpine-3.18.json --output cyclonedx-json
 
 # Scan trivy.json
 grype sbom:trivy.json

170_supply_chain_security/vulnerabilities.md

@@ -8,9 +8,6 @@ Linked to vendors/products/versions by<br/>*Common Platform Enumeration* (CPE) [
 
 Scored by<br/>*Common Vulnerability Scoring System* (CVSS) [](https://nvd.nist.gov/vuln-metrics/cvss)
 
-- Scale 0-10
-- Low, medium, high, critical
-
 Also scored by<br/>*Exploit Prediction Scoring System* (EPSS) [](https://www.first.org/epss/)
 
 ### Understand your dependencies [](https://deps.dev/)

2023-05-17_heise-Webinar-KubernetesSupplyChainSecurity.html

@@ -79,7 +79,7 @@
 
 <section data-markdown="" data-separator="^---$" data-separator-vertical="^--$"><textarea data-template="">
 <!-- .slide: class="center" -->
-## <i class="fa-duotone fa-ball-pile"></i> Dependencies / Vulnerabilites
+## <i class="fa-duotone fa-bug"></i> Dependencies / Vulnerabilites
 </textarea></section>
 <section data-markdown="170_supply_chain_security/vulnerabilities.md" data-separator="^---$" data-separator-vertical="^--$"></section>
 <section data-markdown="170_supply_chain_security/sbom/slides.md" data-separator="^---$" data-separator-vertical="^--$"></section>
@@ -101,7 +101,7 @@
 
 <section data-markdown="" data-separator="^---$" data-separator-vertical="^--$"><textarea data-template="">
 <!-- .slide: class="center" -->
-## <i class="fa-duotone fa-ball-pile"></i> Activity
+## <i class="fa-duotone fa-person-hiking"></i> Activity
 </textarea></section>
 <section data-markdown="170_supply_chain_security/activity.md" data-separator="^---$" data-separator-vertical="^--$"></section>