undefined

points

[-]

>are all built continuously from upstream source

2. Isn't there a slight risk of upstream attacks being amplified by this? With the recent number of software compromises providing a way for people to use images X days old may be useful.

3. This ties into 2, if someone downloads and uses an image that is later found to be compromised they mostly have no way of being notified that happened. Not a huge issue, but is something that should be risk assessed.

by hobofan5 hours ago|

parent|

[-]

> 2. Isn't there a slight risk of upstream attacks being amplified by this?

I think the argument would be that consuming Minimus' containers would have a less severe amplification (or even reduction), as all upstream attacks that rely on a combination of third-party vulnerabilities would be rendered infeasible (since they reduce the amount of third-party dependencies in an image).

> 3. This ties into 2, if someone downloads and uses an image that is later found to be compromised they mostly have no way of being notified that happened.

For this you need a consumption-aware scanner anyways (e.g. that lists images running in your Kubernetes). Anything else will be too spammy, as you can't notify for everything for you have at some point in time have used as a base image.

by morellonet5 hours ago|

parent|

[-]

Also note that one of the features of Enterprise Edition is our integrations with Slack, email, GitHub, webhooks, etc. This enables really simple but powerful notification and automation scenarios based on image fixes (amongst other triggers like a version you're using going EOL).

For example, with EE, you can create an action to automatically trigger a webhook or send a Slack message when an image you're using has a critical CVE that's likely to be exploited (we also integrate threat intel from EPSS, KEV, etc).

Definitely still value in having runtime scanning / visibility too, but EE makes it easy to do purely on the 'left' side of things too.

by s_ting7655 hours ago|

parent|

prev|

[-]

Pausing software updates by X days old is a hack at best for specific distribution platforms (npm), not a general security recommendation.

by AmazingTurtle6 hours ago|

prev|

[-]

how can one be sure you don't do rugpull in the future?

by itintheory2 hours ago|

parent|

[-]

Pull-through cache the images. Sure, they could decide you can't pull anymore, or impose problematic rate limits, but you shouldn't add a runtime dependency on their registry in any case.

by morellonet2 hours ago|

parent|

[-]

Yep, these are just normal OCI compliant images served from a normal OCI compliant registry. You can cache them however you'd like.

by ramon1567 hours ago|

prev|

[-]

The question was "why over DHI?"

1 and 2 are not a reason

3. no X, no Y, also not a reason

4. `rg agents`. Right

by morellonet7 hours ago|

parent|

[-]

Not sure what you mean… we have more images than DHI, we have FIPS images available freely, and all our images are built from source on a distroless base. These are just objective facts.

The build from source on distroless approach provides a meaningful advantage re attack surface and CVEs versus DHI images. You don’t have to take our word for it, just pull some images and scan with Trivy or Grype or whatever you prefer.

by yjftsjthsd-h6 hours ago|

parent|

prev|

[-]

3 is exactly the reason I've never bothered to try docker's offering; that definitely is a reason

by morellonet6 hours ago|

parent|

[-]

Re 3, one of the features in Enterprise Edition is integrations with Slack, GitHub, webhooks, etc. a key use case is getting a push notification (or even triggering automation) when an image you’re using gets an update.

It’s simple but pretty granular too… ‘if this python image gets a fix for a critical CVE that’s actively exploited, trigger a GitHub action to rebuild the app with the updated image