Container Supply Chain Security
SBOM (Syft, CycloneDX), image signing (Cosign, Sigstore), OCI standards, vulnerability scanning, registry security
1What is an SBOM (Software Bill of Materials) in the context of container security?
What is an SBOM (Software Bill of Materials) in the context of container security?
Respuesta
An SBOM is a comprehensive inventory of all software components contained in a container image, including libraries, dependencies, and their versions. It enables rapid identification of known vulnerabilities and tracking of risky components in the supply chain. Automated SBOM generation with tools like Syft or CycloneDX has become essential practice for maintaining visibility into transitive dependencies and meeting compliance requirements.
2What standard format is used by CycloneDX to represent an SBOM?
What standard format is used by CycloneDX to represent an SBOM?
Respuesta
CycloneDX primarily uses JSON and XML formats to represent SBOMs, in accordance with the OWASP CycloneDX specification. These structured formats enable interoperability between different security tools and facilitate integration into CI/CD pipelines. JSON format is generally preferred for its lightweight nature and ease of parsing, while XML offers stricter schema validation for demanding enterprise environments.
3What is Cosign in the Sigstore ecosystem?
What is Cosign in the Sigstore ecosystem?
Respuesta
Cosign is a container artifact signing and verification tool developed as part of the Sigstore project. It enables cryptographic signing of OCI images and verification of their authenticity without requiring complex PKI infrastructure. Cosign integrates easily into CI/CD workflows and supports keyless signatures via OIDC, significantly simplifying key management compared to traditional methods like GPG.
What is the main characteristic of the OCI (Open Container Initiative) standard for images?
What does Syft generate when analyzing a container image?
+19 preguntas de entrevista
Otros temas de entrevista DevOps
Version Control & Git
Linux Fundamentals
Shell Scripting & Bash
Networking Basics
Docker Fundamentals
CI/CD Fundamentals
GitHub Actions
GitLab CI/CD
Jenkins
Kubernetes Basics
Kubernetes Networking
Kubernetes Advanced
Ingress & API Gateway
Terraform Basics
Terraform Advanced
Ansible & Configuration Management
AWS Essentials
Azure Fundamentals
GCP Fundamentals
Monitoring & Prometheus
Logging & ELK Stack
Alerting & Incident Response
Cloud Identity & Secrets
CI/CD Pipeline Security
Helm & Kubernetes
Runtime & Cluster Security
Service Mesh & Istio
GitOps & ArgoCD
Progressive Delivery
Distributed Observability
Disaster Recovery & Backup
Performance Optimization
Cloud Cost Optimization
SRE Principles
Chaos Engineering
Platform Engineering
Domina DevOps para tu próxima entrevista
Accede a todas las preguntas, flashcards, tests técnicos, ejercicios de code review y simuladores de entrevista.
Empieza gratis