Continuous Security
Atomic Scan
Simple Signing

Daniel J Walsh

Consulting Engineer

Twitter: @rhatdan



Chapter 4

How do you furnish the pigs apartment?

How do I secure content inside container?

LINUX 1999

Where did you go to get software?

Go to or
and google it?

I found it on, download and install.

Hey I hear there is a big Security vulnerability in Zlib.

How many copies of the Zlib vulnerability to you have?

I have no clue!!!

Red Hat to the rescue

Red Hat Enterprise Linux solved this problem

Certified software and hardware platforms

People have no idea of quality of software in docker images

Or they are building them themselves?

Lets Talk About DEV/OPS

Containers move the responsibility for security updates from the Operator to the Developer.

Do you trust developers to
fix security issues in their images?

What happens when the next Shell Shock hits

RHEL Certified Images

Introducing Atomic Scan

Problems I see with scanners

Everyone is doing one

Each scanner wants access to /var/run/docker.sock

What happens if my container runtime is not docker?
(Shameless plug for CRI-O)

Can I use my scanner to scan other rootfs?

Atomic Scan Container Vulnerability Detection

Atomic Scan and the OpenScap Daemon

Using the Atomic Scan CLI to Scan Vms

Creating a Custom Atomic Scan Plugin

Integration of scanning with OpenShift

Ongoing work

Scans hightlight images with problems

Admin chooses to have OpenShift quarantee these images

Where do your developers get their images?

How do you define trust?

How can I sign the images?

Managing Registry Trust With Atomic CLI

Signing Images

Must support multiple signatures?

Must not be tied to one registry?

Must be based on common standards?

Must be easy to understand?

Must support Offline Verification

Introducing Simple Signing

Container Image Signing Integration Guide

Signing Images with Atomic CLI

Push and Sign container images with Atomic CLI

Trust auto discovery with simple signing


Don't let this be you.