Back To Schedule
Wednesday, October 13 • 11:00am - 11:35am
Back to the Drawing Board: Building Containers with SBoMs - Nisha Kumar, VMware

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
A Software Bill of Materials or SBoM is a list of software components that comprise a software artifact, be it firmware, OS, a VM, and yes, a container. We can generate an SBoM for container images post build using image scanners like Claire, Trivy, Tern, and Syft. This method is not foolproof, however, as they rely on metadata existing in the container filesystem (such as package manifests) in order to report on them. If a container goes through a multistage build or tools like Docker-slim to reduce the attack surface of the container, all that metadata is gone. How do we get more accurate and consistent SBoMs for containers? We generate them at container build time. This talk demonstrates how we can do that with tools like Tern, Buildah, and the OCI specification. We will get back to the basics of building containers, learn about the OCI specification, and make a container builder which can generate an SBoM at build time.

avatar for Nisha Kumar

Nisha Kumar

Senior Open Source Engineer, VMWare
Nisha is a Senior Open Source Engineer at VMware and the technical lead for container packaging and distribution. She has been a DevOps engineer for embedded systems and a Radio Frequency Engineer in semiconductor manufacturing. She has been involved in Open Source for more than 15... Read More →

Wednesday October 13, 2021 11:00am - 11:35am PDT
Petree Hall D + Online