OC3 registrations are now open! Join the premier event for confidential computing online or in Berlin on March 27.
Blog
Fabian Kammel
Constellation, our Confidential Kubernetes engine, is now open source. Check it out on GitHub or say Hi on Discord.
Constellation is an infrastructure product and includes several different components:
A command-line interface (CLI) manages the life-cycle of the Confidential Kubernetes cluster
In-cluster services provide features such as key management and secure node administration
A node operator handles upgrades of cluster nodes
All of these components could include a dependency with known vulnerabilities! How do we get the full picture to keep track of all our dependencies?
An SBOM comprises a list of all dependencies for a given software artifact in a standard data format, such as SPDX or CycloneDX. For more background on SBOMs see NTIA's overview.
Last year, many companies scrambled to determine, whether software they were running in production was vulnerable to Log4Shell. SBOMs allow organizations to answer these questions easily!
Syft allows us to generate an SBOM for several different types of artifacts, using so-called catalogers. Supported ecosystems include OS level package managers, programming language build systems, container images, and file systems.
Go Modules
Go already keeps track of its dependencies via the go.mod and go.sum files. Running Syft from our go module's root directory will produce an SBOM based on these files!
syft --catalogers go-mod-file --file constellation.spdx.sbom -o
spdx-json
Container Images
Syft is also able to scan images from container registries. Instead of passing a local file system path, we simply provide the image reference and an SBOM for our container will be generated.
Having minimal container images based on scratch or distroless helps to keep the attack surface low!
CONTAINER_VERSION=v2.0.0 syft
ghcr.io/edgelesssys/constellation/verification-
service:${CONTAINER_VERSION} --file verification-
service.spdx.sbom -o spdx-json syft ghcr.io/edgelesssys/constellation/access-
manager:${CONTAINER_VERSION} --file access-manager.spdx.sbom -o
spdx-json syft ghcr.io/edgelesssys/constellation/join-
service:${CONTAINER_VERSION} --file join-service.spdx.sbom -o
spdx-json syft
ghcr.io/edgelesssys/constellation/kmsserver:${CONTAINER_VERSION}
--file kmsserver.spdx.sbom -o spdx-json syft
ghcr.io/edgelesssys/constellation/node-
operator:${CONTAINER_VERSION} --file node-operator.spdx.sbom -o
spdx-json
There is (experimental) support in docker CLI to generate an SBOM, which also uses Syft under the hood!
Syft helped us to easily and continuously generate SBOMs for our releases.
Customers can be assured that they have the full picture of what is included in our product and can import our SBOMs to solutions such as Dependency Track or BlackDuck to stay on top of vulnerabilities and upgrade Constellation to receive the latest mitigations in time!
Follow Edgeless Systems, to learn how we use SBOMs to keep Constellation secure and users in the loop on known vulnerabilities.