Container Supply Chain Security
SBOM (Syft, CycloneDX), image signing (Cosign, Sigstore), OCI standards, vulnerability scanning, registry security
1What is an SBOM (Software Bill of Materials) in the context of container security?
What is an SBOM (Software Bill of Materials) in the context of container security?
답변
An SBOM is a comprehensive inventory of all software components contained in a container image, including libraries, dependencies, and their versions. It enables rapid identification of known vulnerabilities and tracking of risky components in the supply chain. Automated SBOM generation with tools like Syft or CycloneDX has become essential practice for maintaining visibility into transitive dependencies and meeting compliance requirements.
2What standard format is used by CycloneDX to represent an SBOM?
What standard format is used by CycloneDX to represent an SBOM?
답변
CycloneDX primarily uses JSON and XML formats to represent SBOMs, in accordance with the OWASP CycloneDX specification. These structured formats enable interoperability between different security tools and facilitate integration into CI/CD pipelines. JSON format is generally preferred for its lightweight nature and ease of parsing, while XML offers stricter schema validation for demanding enterprise environments.
3What is Cosign in the Sigstore ecosystem?
What is Cosign in the Sigstore ecosystem?
답변
Cosign is a container artifact signing and verification tool developed as part of the Sigstore project. It enables cryptographic signing of OCI images and verification of their authenticity without requiring complex PKI infrastructure. Cosign integrates easily into CI/CD workflows and supports keyless signatures via OIDC, significantly simplifying key management compared to traditional methods like GPG.
What is the main characteristic of the OCI (Open Container Initiative) standard for images?
What does Syft generate when analyzing a container image?
+19 면접 질문