Docker Security Deep Dive
Published by Pearson
Secure Docker Containers with GitHub Actions CI/CD Pipelines
- Create, Secure, Sign, and Deploy Docker Containers with GitHub Actions
- Deep dive into Docker container security from a secure supply chain perspective, including Docker image vulnerability scanning, digital signatures, and attestations
- Use GitHub Actions to build, scan, sign and deploy Docker containers in a DevSecOps workflow
In just four hours, learn best practices for creating and managing Docker images for improved performance and security. We will cover topics such as multi-stage Dockerfile builds, distroless Docker images, cloud native buildpacks, Docker build tools such as kaniko and ko, and container technologies such as podman. We will also go into details about the structure and the management of Docker images using tools such as crane and skopeo.
We will focus on Docker image security from a secure supply chain perspective. We will cover topics such as Dockerfile security, Docker image security scanning with trivy and grype, digital signatures and attestations with sigstore cosign, Software Bill of Materials (SBOM) creation, and attestation with syft.
We will show a practical example of a CI/CD pipeline using GitHub Actions. The pipeline will clone the code from a source code repository, build the source code, create a Docker image for the built artifact, scan the image for security vulnerabilities, sign the image with cosign, push the image to a Docker container registry, verify the image, then deploy the image to a target environment. This type of pipeline is the most important piece toward having a DevSecOps workflow in an organization.
What you’ll learn and how you can apply it
By the end of the live online course, you’ll understand:
- How to create and manage secure Docker images using a variety of technologies
- How to create digital signatures for Docker images, scan Docker images for security vulnerabilities, attest and verify Docker images for better supply chain security
- How to create CI/CD pipelines for DevSecOps workflows
And you’ll be able to:
- Use multi-stage Dockerfile builds, buildpacks, kaniko, ko, crane, skopeo, and other tools to create Docker images with a focus on performance and security
- Use sigstore cosign, trivy, grype, syft, and other tools to implement industry best practices in supply chain security and cybersecurity
- Create GitHub Actions pipelines that help with automating the building, securing, and deploying of Docker images
This live event is for you because...
- You are a DevSecOps practitioner who wants to build, scan, and deploy microservice applications based on Docker containers
- You are a Cybersecurity professional who wants to verify the security of Docker containers running in your environment
- You are a developer who wants to create CI/CD pipelines for your source code, going from building the code to deploying the code in staging and production
Prerequisites
- Basic knowledge of Docker containers
- Basic knowledge of CI/CD pipelines
- Basic knowledge of shell commands
Course Set-up
- Docker Engine/Desktop installed on Windows or MacOS
- Command-line terminal
- Web browser
Recommended Preparation
- Attend: Introduction to Docker and Containers by Noureddin Sadawi
- Watch: Docker Containers, 3rd Edition by Christopher Negus
Recommended Follow-up
- Attend: Github Actions in 4 Hours by Paul Furlan
Schedule
The time frames are only estimates and may vary according to how the class is progressing.
Segment 1: Creating and managing Docker images(90 minutes)
- Overview of Dockerfile structure and Docker image build commands
- Doing multi-stage Dockerfile builds
- Using Distroless Docker images as base images
- Building Docker images with cloud-native buildpacks
- Building Docker images with kaniko and ko
- Overview of OCI image structure (Open Container Initiative)
- Operating on OCI images with crane and skopeo
- Discussion of podman containers vs. Docker containers
Break (15 minutes)
Q & A (15 minutes)
Segment 2: Securing Docker containers(45 minutes)
- Dockerfile scanning with hadolint and trivy
- Docker image security scanning with trivy and grype
- Digital signatures and attestations with sigstore cosign
- Software Bill of Materials (SBOM) creation and attestation with syft
Break (5 minutes)
Q & A (10 minutes)
Segment 3: CI/CD pipelines in a DevSecOps context(45 minutes)
- Overview of GitHub Actions CI/CD pipelines
- Clone code from a sample GitHub repository
- Build the source code into an artifact
- Create a Docker image for the built artifact
- Scan the Docker image for security vulnerabilities
- Sign the image with cosign
- Push the image to the GitHub container registry
- Verify the image with cosign, then deploy the image to a target environment using AWS EKS
Q & A (10 minutes)
Course wrap-up and next steps (5 minutes)
Your Instructor
Grig Gheorghiu
Grig Gheorghiu is a co-founder of Timonier Systems, helping companies implement DevSecOps processes and workflows for running their applications securely in Kubernetes. Previously, Grig worked as a DevOps Lead at LinQuest in El Segundo, California. Grig has 30 years of industry experience working in diverse roles such as programmer, test engineer, research lab manager, system/network/security/cloud architect, and DevOps lead. For the past 25 years, Grig has been architecting and building the infrastructure for large consumer-facing and e-commerce websites such as Evite and NastyGal, as well as leading technical operations and engineering teams. He tries to blog regularly about technology topics. Grig has a BSc degree in Computer Science from the University of Bucharest, Romania, and a MSc degree in Computer Science from USC in Los Angeles.