image-signing
Safeguard articles tagged "image-signing" — guides, analysis, and best practices for software supply chain and application security.
6 articles
Container-handling security fundamentals: immutability, signing, and privilege drops
Two runc CVEs, five years apart, both turned root-in-container into root-on-host — proof that container isolation needs backup, not blind trust.
Securing Container Registries: From Push to Pull
Your registry is the single point every image passes through — and a favorite target for attackers who want to poison many deployments at once. Here is how to lock it down end to end.
Best Kubernetes Admission Controllers for Supply Chain Security
Kyverno, OPA Gatekeeper, Sigstore policy-controller, Ratify, or plain CEL? A field guide to admission controllers that actually block unsigned and vulnerable images.
AWS Signer with Notation: Designing a Trust Policy That Survives Contact
AWS Signer integrates with Notation for OCI image signing. The hard part is not signing — it is the trust policy that decides what gets to run. We walk through one that holds up.
Scanning Oracle Cloud Infrastructure Registry images for ...
A step-by-step guide to OCIR vulnerability scanning: enabling OCI's Vulnerability Scanning Service, triggering push-time scans, triaging CVEs, and signing verified images.
Kubernetes Admission Controllers for Supply Chain Policy
Admission controllers are the only Kubernetes enforcement point that sees every workload before it runs. That makes them the right place to enforce image provenance, signing, and SBOM policies.