[comprev]

A large portion of my role at $DayJob is around improving supply chain security.

Some examples of how we do it:

- Devs can only use hardened (by us) Docker images hosted inside our infrastructure. Policies enforce this during CI and runtime on clusters.

- All Maven/PIP/NodeJS/etc. dependencies are pulled through via proxy and scanned before first use. All future CI jobs pull from this internal cache.

- Only a handful of CI runners have outbound connectivity to the public internet (via firewalls). These runners have specific tags for jobs needing connectivity. All other runners pull dependencies / push artefacts from within our network.

- The CI Runners with Internet connectivity have domains whitelisted at the firewall level, and so far very few requests have been made to add new domains.

- External assets, e.g an OpenJDK artefact, have their checksums validated during the build stage of our base images. This checksum is included in Docker image metadata should we wish to download the asset again and compare against the public one.

[robertknight]

> All Maven/PIP/NodeJS/etc. dependencies are pulled through via proxy and scanned before first use.

What does the scanning process check for / which tools are used?

[alex_suzuki]

Sounds like you’re running a tight ship – congrats! Have you received feedback from your dev teams on the ergonomics of the setup?

[comprev]

Thanks! I was given a blank canvas and asked to build a platform which aligns with the company’s “cybersecurity” vision. They want more teams to align on how they build/deploy/manage products in a PCI regulated environment.

It’s quite challenging given I literally have 50 different “internal customers” (teams) who do things in their own silos - and have done for the last 20 years.

Definitely a marathon not a sprint and will take years to complete.

[kolme]

That's great advice, thanks! What are you using to scan the packages/images if I may ask?