Final slides for 20230711

Author: nicholasdille

060_security/11_artifacts/slides.md

@@ -7,7 +7,7 @@ Open Container Initiative (OCI) is responsible for multiple specifications:
 - Distribution <span style="color: grey;">(how to talk to image registries)</span> [](https://github.com/opencontainers/distribution-spec)
 - Artifact <span style="color: grey;">(how to store arbitraty data in registries)</span> [](https://github.com/opencontainers/artifacts)
 
-OCI is slowly replacing Docker media types
+OCI is replacing Docker media types
 
 Version 1.1 is in the making
 

120_kubernetes/kyverno/prepare.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 set -o errexit
 
-docker-setup --tools=docker,buildx,docker-compose,kind,helm,kubectl,cosign,kyverno install
+docker-setup install docker buildx docker-compose kind helm kubectl cosign kyverno
 
 kind create cluster
 

170_supply_chain_security/cosign/cosign.demo

@@ -26,17 +26,17 @@ regctl manifest get ghcr.io/nicholasdille/container-slides/ubuntu:sha256-${DIGES
 https://search.sigstore.dev/
 
 # Verify signature
-EMAIL=???
-COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/nicholasdille/container-slides/ubuntu:22.04 --certificate-oidc-issuer https://github.com/login/oauth --cer
-tificate-identity ${EMAIL}
+COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/nicholasdille/container-slides/ubuntu:22.04 \
+    --certificate-oidc-issuer https://github.com/login/oauth \
+    --certificate-identity-regexp 'nicholas.dille@.+'
 
 # Sign arbitrary artifact
-curl -sLO https://github.com/aquasecurity/trivy/releases/download/v0.41.0/trivy_0.41.0_Linux-64bit.tar.gz
-curl -sLO https://github.com/aquasecurity/trivy/releases/download/v0.41.0/trivy_0.41.0_Linux-64bit.tar.gz.pem
-curl -sLO https://github.com/aquasecurity/trivy/releases/download/v0.41.0/trivy_0.41.0_Linux-64bit.tar.gz.sig
-COSIGN_EXPERIMENTAL=1 cosign verify-blob trivy_0.41.0_Linux-64bit.tar.gz \
-    --certificate trivy_0.41.0_Linux-64bit.tar.gz.pem \
-    --signature trivy_0.41.0_Linux-64bit.tar.gz.sig \
+curl -sLO https://github.com/aquasecurity/trivy/releases/download/v0.43.1/trivy_0.43.1_Linux-64bit.tar.gz
+curl -sLO https://github.com/aquasecurity/trivy/releases/download/v0.43.1/trivy_0.43.1_Linux-64bit.tar.gz.pem
+curl -sLO https://github.com/aquasecurity/trivy/releases/download/v0.43.1/trivy_0.43.1_Linux-64bit.tar.gz.sig
+COSIGN_EXPERIMENTAL=1 cosign verify-blob trivy_0.43.1_Linux-64bit.tar.gz \
+    --certificate trivy_0.43.1_Linux-64bit.tar.gz.pem \
+    --signature trivy_0.43.1_Linux-64bit.tar.gz.sig \
     --certificate-oidc-issuer https://token.actions.githubusercontent.com \
     --certificate-identity-regexp 'https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/v*' \
     --certificate-github-workflow-repository aquasecurity/trivy

170_supply_chain_security/cosign/demo.md

@@ -0,0 +1,7 @@
+## Demo [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/170_supply_chain_security/cosign/cosign.demo "cosign.demo")
+
+Sign a container image
+
+Keyless sign of a container image
+
+Verify the signature of a container image

170_supply_chain_security/cosign/slides.md

@@ -37,13 +37,3 @@ Kyverno has support builtin
 Bootstrapping the tooling is important
 
 Check the supply chain of required tools
-
----
-
-## Demo [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/170_supply_chain_security/cosign/cosign.demo "cosign.demo")
-
-Sign a container image
-
-Keyless sign of a container image
-
-Verify the signature of a container image

170_supply_chain_security/sbom-operator/dashbaord-cve-by-image.json

@@ -0,0 +1,257 @@
+{
+    "annotations": {
+      "list": [
+        {
+          "builtIn": 1,
+          "datasource": {
+            "type": "grafana",
+            "uid": "-- Grafana --"
+          },
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations & Alerts",
+          "type": "dashboard"
+        }
+      ]
+    },
+    "editable": true,
+    "fiscalYearStartMonth": 0,
+    "graphTooltip": 0,
+    "id": 3,
+    "links": [],
+    "liveNow": false,
+    "panels": [
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "PBFA97CFB590B2093"
+        },
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisCenteredZero": false,
+              "axisColorMode": "text",
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 0,
+              "drawStyle": "line",
+              "fillOpacity": 0,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "mappings": [],
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": null
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          },
+          "overrides": []
+        },
+        "gridPos": {
+          "h": 9,
+          "w": 24,
+          "x": 0,
+          "y": 0
+        },
+        "id": 1,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom",
+            "showLegend": true
+          },
+          "tooltip": {
+            "mode": "single",
+            "sort": "none"
+          }
+        },
+        "targets": [
+          {
+            "datasource": {
+              "type": "prometheus",
+              "uid": "PBFA97CFB590B2093"
+            },
+            "editorMode": "code",
+            "expr": "count by (severity) (vuln_operator_cves{image_id=\"$image\"})",
+            "instant": false,
+            "legendFormat": "__auto",
+            "range": true,
+            "refId": "A"
+          }
+        ],
+        "title": "CVEs by severity",
+        "type": "timeseries"
+      },
+      {
+        "datasource": {
+          "type": "prometheus",
+          "uid": "PBFA97CFB590B2093"
+        },
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisCenteredZero": false,
+              "axisColorMode": "text",
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 0,
+              "drawStyle": "line",
+              "fillOpacity": 0,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "mappings": [],
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": null
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          },
+          "overrides": []
+        },
+        "gridPos": {
+          "h": 9,
+          "w": 24,
+          "x": 0,
+          "y": 9
+        },
+        "id": 2,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom",
+            "showLegend": true
+          },
+          "tooltip": {
+            "mode": "single",
+            "sort": "none"
+          }
+        },
+        "targets": [
+          {
+            "datasource": {
+              "type": "prometheus",
+              "uid": "PBFA97CFB590B2093"
+            },
+            "editorMode": "code",
+            "expr": "count by (package, version) (vuln_operator_cves{image_id=\"$image\"})",
+            "instant": false,
+            "legendFormat": "{{package}}@{{version}}",
+            "range": true,
+            "refId": "A"
+          }
+        ],
+        "title": "CVEs by package",
+        "type": "timeseries"
+      }
+    ],
+    "refresh": "10s",
+    "schemaVersion": 38,
+    "style": "dark",
+    "tags": [],
+    "templating": {
+      "list": [
+        {
+          "current": {
+            "selected": false,
+            "text": "docker.io/grafana/grafana@sha256:c2a9d25b77b9a7439e56efffa916e43eda09db4f7b78526082443f9c2ee18dc0",
+            "value": "docker.io/grafana/grafana@sha256:c2a9d25b77b9a7439e56efffa916e43eda09db4f7b78526082443f9c2ee18dc0"
+          },
+          "datasource": {
+            "type": "prometheus",
+            "uid": "PBFA97CFB590B2093"
+          },
+          "definition": "label_values(image_id)",
+          "hide": 0,
+          "includeAll": false,
+          "label": "Image",
+          "multi": false,
+          "name": "image",
+          "options": [],
+          "query": {
+            "query": "label_values(image_id)",
+            "refId": "PrometheusVariableQueryEditor-VariableQuery"
+          },
+          "refresh": 1,
+          "regex": "",
+          "skipUrlSync": false,
+          "sort": 0,
+          "type": "query"
+        }
+      ]
+    },
+    "time": {
+      "from": "now-6h",
+      "to": "now"
+    },
+    "timepicker": {},
+    "timezone": "",
+    "title": "CVEs by Image",
+    "uid": "d4e451d2-0482-4477-9376-8e6ad31ec6fc",
+    "version": 2,
+    "weekStart": ""
+  }