One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 8333805 |
| Date de publication | 2023-05-05 11:02:09 (vue: 2023-05-05 16:07:49) |
| Titre | Présentation des règles_oci Introducing rules_oci |
| Texte | Appu Goundan, Google Open Source Security TeamToday, we are announcing the General Availability 1.0 version of rules_oci, an open-sourced Bazel plugin (“ruleset”) that makes it simpler and more secure to build container images with Bazel. This effort was a collaboration we had with Aspect and the Rules Authors Special Interest Group. In this post, we\'ll explain how rules_oci differs from its predecessor, rules_docker, and describe the benefits it offers for both container image security and the container community. Bazel and Distroless for supply chain securityGoogle\'s popular build and test tool, known as Bazel, is gaining fast adoption within enterprises thanks to its ability to scale to the largest codebases and handle builds in almost any language. Because Bazel manages and caches dependencies by their integrity hash, it is uniquely suited to make assurances about the supply chain based on the Trust-on-First-Use principle. One way Google uses Bazel is to build widely used Distroless base images for Docker. Distroless is a series of minimal base images which improve supply-chain security. They restrict what\'s in your runtime container to precisely what\'s necessary for your app, which is a best practice employed by Google and other tech companies that have used containers in production for many years. Using minimal base images reduces the burden of managing risks associated with security vulnerabilities, licensing, and governance issues in the supply chain for building applications.rules_oci vs rules_docker |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | distroless ability able about accompanied actionable adding adopting adoption after alex all allow allowed allowing allows almost along already also amd64 announce announcing any api app applications appu architecture are arm aspect associated assurances attack attestation authors availability avoid avoids base base64 based bazel because before benefits best better bill both breaking build building builds burden caches caching called can chain changed changes code codebases collaboration combination community companies condition considering consulting consume container containers contributing convenient cosign could crane created daemon debuggable decisions dependencies dependency describe developed developer differs digests distroless docker dockerhistorically doesn donating download downloader driven during eagle effectively effort eliminate embedded employed end enterprises entirely essential example excellent existed explain failures fast faster features fetch fetching field filing first follows formats from future gaining gcr general get give goes google goundan governance great group guarantee guide had handle happy has hash have healthy help highlight how image images immutable improve improvements improving include indexes initiative installed instead integrity interest introducing io/distroless/base:latest issues its jqin keeping known language languages largest layers left licensing like machine magic:cosign maintainable maintained maintaining maintenance make makes manages managing manipulation many materials means metadata metadata:native middle migration minimal mode modernize modified more most much multi multiple native natural necessary needs new not now number oci ocithere ocitoday offers one open opencollective organizations other outputs party payload person pitfalls platform platforms playing plugin popular post practice precisely predecessor predicate principle private processes production project promises provides public race rcs reasons:the reduces references registry releases reliable rely remote remove repositories resources responsive restrict risks roadmap rules ruleset rulesets running runtime runtimes sahin sbom sboms scale secure security securitygoogle seen semver series servers services several showing sig sign signed signing simpler simply since skopeo software some something source sourced special specific stability stale standard started such suited supply support supported tags target team teamtoday tech test than thanks third tied time today tool toolchains tools training transparent trust trusted try uniquely unsigned use used users uses using verify version view vulnerabilities way well went what when which who widely windows within won work wrong years yort you your zot “ruleset” |
| Tags | |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.