 Yeah, thanks, Kandace and very excited to be having everybody here and thanks everyone for taking time another day to join us So it'll be certainly an informative, you know, probably 40-50 minutes Happy to keep you interactive feel free to ask questions in the question and your box and we'll try to get to it So talking about modernizing image security and CSUD with cosine and OPA if you're unfamiliar with what those are You'll be much more familiar what they are after this webinar. So next slide, please the one So really quickly who you know, who these faces that are talking to you. I'm Ravi I'm a product manager here at harness, but my background has been in the stripper systems I've been you know, getting items wrong and writing production all the time And then as the older I get the more if I my future works the first time after I tried it It means it's probably wrong and also joined today with my partner in crime to one Maybe to one a quick second about yourself. Yeah, sure thing. I'm the one Ahmed. I'm joining from the beautiful east coast of Canada I work at IBM and Canada for a red hat for eight years And then a European database startup for two years before joining harness And I've been fortunate to be part of the CNC if and cloud-edit ecosystem for quite some time So I really benefit from these awesome projects and looking forward to discuss some of those projects today during the webinar back at you Ravi Yeah, thanks so much. Yeah, you're fantastic. Yeah Will you hear me say next slide a couple times I like the one and I were talking like right before like the webinar started It would be awesome to have like a cloud native or Linux foundation type of way of like two people controlling the slide But unfortunately you hear me say that couple more times. So what are we gonna be talking about today? So kind of like just raking over like what exactly is like CICD and like why is security important to that? So Canadians integration can just delivery as an increased attack vector Like why is it even wise and important these days they're gonna start getting to some of the more nuanced pieces So such as content container image security like you know, for example, how do you go about signing a container? Well, we'll tell you how to do that in this webinar But then also well, what do you do that information right when something is signed? You probably want to have some sort of security posture security policy to kind of go through your pipeline So we'll show you how to set it up also and then Boating into that a kind of overarching of that as they actually supply chain security So what does that mean? And then we get into a demo. We'll show you how all this is possible And then if you have q&a you can ask throughout like we're not do one of our pretty cool So you're not you're asking any time like you have a question So I'll go ahead and feel free and then yeah, we'll hopefully be informative for the next 40 50 minutes So do one next slide, please So what is CI CD? Okay, so I try to boil it down as like simply as possible You might have heard these terms continuous integration continuous delivery you might say them together like CI CD like an epitome like they mean like one thing but Kind of at the end of the day your CI CD or well You could be one or multiple pipelines your build and deployment pipelines are your main conduit to your end user, right? But a couple things here Usually, you know, you have source code that you want to be able to deploy but in that particular process, right? Like, you know, your machine doesn't understand, you know, source code or like like code and plain words It has to be compiled or put in distribution and that usually has to be placed somewhere in a piece of infrastructure And then that usually needs to be deployed To get in the hands of end users. So basically your CI CD pipeline is your conduit to your users It's a place for iteration. So if you take a look at yours gone by like, you know, 10 years ago People might deploy it maybe like once every six months today Your CI CD pipelines are being executed all the time might not be going to prod every day But you're showing deploying to a lower environment They may be like dev or a perfect environment and even software is iterative support, right? I'm going back to my first joke never got something right the first time that's very true Software is trying there so to be executing this over and over again. I'm the one next slide, please And so kind of the evolution of CI CD, right? So if you're unfamiliar with what CI CD is, here's a quick evolution You probably use some of these technologies before or all of these technologies for like the one and I at some point of our careers and so Getting let's say your idea of let's say back in the going from left to right You know your deployment process should be very to spoke, right? You might be deploying by a shell script or you might be building a very specific like image like an rpm or a tar or like you're using You know, it's like an AMI, right? And how you go about getting that off of your machine or off of a central spot to another spot is like a shell script But it's very to spoke that's like it's your shell script Your infrastructure probably a lot of your libraries I'm ever going towards like the middle now, right? So we're looking at like, how do we go about getting this more automated? You might have some sort of like automation program, right? So that might be if you're familiar with Jenkins, right? It's like, okay, we have a generic piece of automation that will run a piece of workload for us And then if we start looking at what's going on today, right? You know, like your CI CD even the infrastructure that it runs on starts looking similar because of the rise of Ephraimeral workloads or the rise of container orchestrator or container orchestration or containers like kubernetes or picker orchestrator of days gone by or days that they's looking for We're like in this cloud native phase. So even the infrastructure that's running it is probably kubernetes based You know, it kind of like stands up and it gets destroyed bills are very CPU intense And so you're looking at a very Very elastic level of workload and especially also the workload you're deploying has to go somewhere that might be kubernetes today And so kind of because things are done by a convention and other Ephraimeral That actually increases the attack surface to one next slide, please And so why is there a larger attack or service area? So going back to like the day of like shell, right? Or like or bash It's your infrastructure. It's your version of Linux, you know, you're running something very you know to your organization you're running and The particular hardware might be, you know, your hardware spec. It might be You know the your flavor of Linux It's controlled by your it organization or your Builder release organization and that but you have more control like you can do pretty much anything you want, right? You know, you can You can get to the kernel level like if you wanted to do whatever you want It kind of moving to today, right? There's less control, but there's more convention. What's going on? So Uh kubernetes docker, you know your pipeline itself, you know, like if you take a look at an open source project today There's usually some sort of like build yaml or build manifest or even a deployment yaml or manifest like an example of Apps that I write I have a couple flavors of deployment. I manifest in my applications in the repository, right? Even low-level infrastructure like compute and storage or networking storage are done by a software configuration like you know, if you're familiar kubernetes C&I CSI right like those interfaces are all Are all common but what that means is that because there's a common attack vector or there people are leveraging common infrastructure That means that your infrastructure your build infrastructure also becomes Kind of an area of attack So as your teams are building more let's convention-based so we're not going to talk about too much of the infra You know like hey like your CICD like the thing that power it or under attack Let's talk a little bit more about the workloads that you're building on it I also hug you secure those workloads because those same principles can also apply to the infra And so as we go through the presentation just remember like hey as and you embrace containerization as you embrace Instead of velocity Also, so do people who have nefarious means right like hey, they are able to make a container do they're able to you know understand Oh, if you look at very very large scale out of breaches that happened recently, you know, they They might not have been on the networking stack. They were on the application stack Right if you look at the struts or log4j or I can like rattle a few off of my my hand here How do we start, you know a was building a more secure supply chain? So with that I'll hand it over to DeWon and DeWon maybe take us over a few of these technologies that are helping Helping folks become more secure Thanks, Ravi So segue from the CICD that Ravi mentioned, right? So the build pushing image and deploy this is sort of the abstraction which Doesn't matter how mature your pipeline is that's sort of the fundamental But let's zoom in a bit. So if you zoom in You'll see that each of these stages, right? It has a lot of different pieces For example within your build stage, you can run dependency check You can run some static analysis and this is sort of where you're doing white box testing you have access to the application code You can run secret detection Then you build the artifact OCI artifact You push the image and then during the deploy phase you're doing sort of a black box testing That's where you run DST or DAS analysis. You don't have access to the source code, but you're running other sort of tests So that's what we mean by CICD security that having security all the way in in the pipeline From your deployment from your development all the way up to the deployment When you have access to the source code and when you don't see App to your source code like like a white box testing There's also policy and compliance Because different industries and the size of your companies might mean that your application Will touch different pieces of the vertical and that's where compliance comes into play So all those different pieces are important for your CICD pipeline But today we'll not focus on all of these we'll focus specifically on container image security And that is because 87% of images that run in production Have critical or high vulnerability that is based on a 2023 cloud native security and usage report Now what we mean by container image security There are various aspects. So let's break it down into five different pieces The first one is the image integrity and trust There are challenges in ensuring the authenticity and the integrity of your container images There are risks associated with pulling the images from untrustworthy registries Or let's say the image is outdated Which might have known vulnerabilities Number two is there might be some configurations issues around the hardening issues There might be configuring containers or for the orchestration platform something like Kubernetes And you need to have hardening for that specific environment You need to implement the least privileged principles Next you can think about dependency management This is where you manage and secure the web of application dependencies for your containers You need to keep all the components up to date to mitigate the risk of vulnerabilities Both for your application, but also for dozens of libraries and packages it relies on Many of us can relate to accidentally checking in an AWS IAM key Or some other sort of sensitive information and something like git gargant saves the day So you need to ensure that I get those alerts a little bit too many times, but yeah Yeah, yeah, like I've seen a lot of tweets For or git gargant, but thank you for for saving my job So so we really appreciate tools like that that protects People's jobs So we need to ensure that such API keys or credentials are not embedded in in container images And last but not the least you need to think about the whole life cycle and complex management You need to oversee the full container life cycle from development all the way when you're retiring a container image This all following the security policies and regulations So we understand that container image security is important, but what to do about it? Well to get started you might want to minimize the supply chain risk And save time by using trusted container images And that's one of the things we focus on throughout the talk today and also show in the demo You need to put vulnerabilities that are in use during runtime at the top of your list You also need to ensure that the image doesn't get bloated too much That means if there's too many unnecessary components in your container image It's very difficult to identify where is the risk Number two is reducing granted permissions. That means putting the extra effort to manage permissions Only grant permissions that are needed and remove both permissions and users Not being used to reduce an attacker's opinion option for initial access to your container or the environment where the container is running on or maybe accidental credential access or Privilege escalation Number three is regularly tuning your detection rules based on the threat intelligence for your own system And that is the black box testing we were mentioning previously Now this brings us to this image that looks like some sort of envelope with a wax Seal When you see this image Yeah, so like you know if you way way back when people would send packages and very elaborate, you know seals on them I'm having a wax seal as like like a temper thing right like the seal is like broken Or it's chipped. You're like, hmm. There's someone open this package or you know I'm not saying I used to this as a kid or maybe I did but like, you know You try to intercept the report card for your parents get it You try to like open the envelope and seal it right back to you know change that c to a b No, no, I didn't do maybe I did do that. But I've had a same same thing, right? Like what what what the container image signing is trying to do is trying to prevent like mad in the middle attack or Kid in the middle attack like me getting a report card early And it's imagine like gpg for containers, right? So beautiful picture here like This is exactly if you're unfamiliar with container image signing is it's making sure that hey what What the original contents what are there have not been tampered with in terms of supply chain to curry So I think give it back to the one Yeah, that that is a great inside rugby and and not not that this meeting is recorded or anything So we can definitely feel so much about mentioning about peeking peeking through our report cards So yeah relating this this envelope to container image signing, right if we do do a comparison You can think this letter representing the container image that contains your application code The envelope for this letter represents the different container layers that package your application The personal waxing you see there that represents the digital signature of your container image And the unique imprint so this my sign right so that that unique imprint represents the signing key that you use to sign your image Don't worry if you don't know about the the different ways to be signed the image will cover that in a bit And when you send this envelope, right? When the recipient recognize that this is a seal from my friend and I trust that and I see there is nothing broken It hasn't been opened before so I can trust this and I can open it That process is the image verification process So it helps sometimes that every day thing we see Or can be can be can be traced back to how we build package and and deploy software So let's look at this image for a second. What container image signing So how it works is and Ravi and I were chatting with few engineers about what's their view on on container image signing And and rightfully so there were some of them haven't heard about it Some of them were thinking that to even need that probably like they were mentioning right like what is image signing? Like I'm doing that my work and I never have to worry about that Yeah, yeah, it's like we you know internally we sign our images here It's like harness, but it was kind of like transparent to them It's like we are signing them or like there's like some sort of like chain of custody that's going on It's like, ah, yes, you know, there are stuff going on So it's um, it was interesting to kind of like we were actually actually ready for this webinar was asking Hey, like who you know who understands what you're using it incorrectly or not And kind of like where you know, it kind of comes in as like during the pipeline policy They'll say oh like maybe our signing service didn't kick off because we got booted out of the you know Our deployment space, but that's getting ahead of ahead of ourselves or getting it was ahead of ourselves in the beginning But yeah the one like yeah Yeah, so as as a developer You might not understand about container image signing or you might not see it in your digital And that is my design because let's say the process of Creating a signed and trusted image looks something like this So the architect of the project They might pull a public base image And from this image they might do a vulnerability scanning And then they might clean up unnecessary components from that image now The image by that time is a lot lean because it doesn't have those those bloated components Then for your specific project and company the architect might install required libraries and software then The image might be configured and secured security tested And finally that image might be signed with your company's key Private key and the image is pushed as the new base image new signed base image that is trusted So this is sort of the process that goes Underneath it's sort of transparent to to developers Now when we talk about container image signing just like a few few challenges we have in the software industry is having too many options lack of options is typically never the case So similar to that we have a lot of options that are on container image signing So how do you choose the right tool? All right, so I'll I'll discuss some of the tools But due to the time we have it's not possible to go in depth about all these tools So after I finish Discussing these tools my colleague will add a link in the chat from 2022 Six store talk six store contact. So there The speaker goes more in depth about these tools. So let's quickly go over these tools So docker content trust and notary v1 are used interchangeably, but actually Docker content trust started from docker used The notary v1 architecture Docker contents trust started at 2015 Which uses the update framework now? It has some issues with signature portability and storage It has an API server and a database besides the registry It establishes a solid foundation in image signing. So we learned a lot from this But because it lacks some enhanced security features, you probably will not use it right now The next one is grapheus project that was introduced by google around 2017 It offers comprehensive solution for the software development lifecycle It's not only for container image signing. For example, it does a whole lot more How different events on how you sign the image, but the burden falls on the verification So now it's not a boolean sign versus not signed So whoever is very fine the image has to go through all those processes to to to get the result But it doesn't provide a mechanism for public key discovery It's better suited for first party integrations. For example, if you're using gke But if you want your customers to use it, let's say you have an image in public And your customers will be pulling that image grapheus probably is not something you'll be using Next comes notary v2. So that's the evolution From notary v1. It got improvements in signature portability integration with third party key management solutions It supports signing via x519 pki However, to the best of my knowledge, as of yet, it doesn't provide a CA or certificate authority So this leaves public key discovery for open source image verification a bit challenging So we did mention that notary v1 is based on the update framework So as the name suggests, the update framework is a framework and it's not a tool It's designed to enhance the security update software system or security for software update systems It's a CNCF graduated project. It focuses on the resilience against key compromises and attacks And it's not an image signing tool per se like other tools we have in the slide But other tools are some of the other tools are based on this framework Now that brings us to last but not the least which is cosine So in this context cosine is from the six store project It offers a compelling solution. It's simplicity, the registry compatibility and the effective link between the image and the signature provides a user friendly approach And it's the integration of virtue for certificate management and a record for secure logging This really got cosine's popularity in the ecosystem Now how you sign the image more important than that is how you verify the image signature, right? So the cosine's strength lies in its verification process, which is important for CICD pipelines So it integrates with policy engines like Open Policy Agent or OPPA and it provides both keyless and key based signing So to learn more about that, check out the the six store con 2022 video You probably will see in the chat So I mentioned about key based and keyless signing. So let's talk about three aspects So the first one is the principle So key based signing uses a static pair of cryptographic keys So one a private key that you use for signing And then let's say the other one is a public key that others are using for verification Now keyless signing relies on dynamically generated short lived certificates And that doesn't need for you to store private keys and public keys permanently The next concept is around security So key based signing, the security relies on the protection of private key How you can protect those private keys So if the private key is compromised then that produces a significant risk That risk is significantly reduced on keyless signing Because that depends on fmrl certificates And then let's say your OIDC providers are generating those certificates Final concept is around the use case So the key based signing is well suited for environments With established key management infrastructure And you can secure the storage of those keys in long term But let's say keyless signing might be more ideal for open source projects Or organizations who don't want the burden of key management Each method, keyless or key based offers distinct advantages I'll quickly give some examples Let's say key based examples would be GPGPGP or X5O master certificates And keyless examples would be 6Doors Falsio for short lived certificates Or the transparency logs like regular Ravi, what do you think about policy? Like I think of insurance policy But what do you think about policy? Yeah, yeah, I also think of an insurance policy Right, or automobile insurance policy Yeah, kind of like what is a policy, right? It's like it's policies like tough, you know, like the other framework It's the academic definition of a policy It's like it's things you can do and things you can't do, right? Like it's like, hey, it's a framework that, hey, given a certain action What is a certain, what do you expect to be the outcome? Like, for example, if, you know, if I'm going over the speed limit I can expect an outcome to be I get a ticket, right? Like that's a policy, it can be law depending where you live But it's usually like a policy or, you know, like a good organizational policy Like, like kind of foreshadowing, it's like, hey, you know what? Usually if there's some sort of business control when you're trying to deploy A policy might be that the author of the application can't be the deployer Some people still do that, so that's the policy, right? Like, hey, how can you enforce that? And so given a certain action, what is the expected reaction or outcome is a policy? Perfect, that is exactly it Policy is just a rule, and as Ravi was mentioning, I don't know if you saw my slide Or not, Ravi, exactly the same example For example, like the deployments to fraud should go through an approval stage, right? So that brings us to policy governance or policy as code So nowadays everything is code, we have pipeline as code, we have infrastructure as code Why not policy as code? So it's the process of managing and implementing policy definitions through source code Rather than this So what is this? This is our very favorite shell script I can't think of a single organization that doesn't maintain and nurture a huge army of shell scripts So this is a shell script, and this is the equivalent of policy So what happens in a shell script is, first of all, it's imperative And then it's very difficult to maintain But then in a policy, when you have policy as code, it's much cleaner to read And something like Open Policy Agent This is a general purpose policy engine So you can use one tool to ensure policy across your entire organization Of course, when we talk about Open Policy Agent, we'll show an example today in the demo So Harness itself uses policy as code That's based on OPA or Open Policy Agent And within Harness, we have OPA server That's an OPA server that's managed by Harness If you haven't used OPA before, I highly encourage you to take a look at Open Policy Agent That's based on a policy language called REGO It's sort of like a debate like YAML Is YAML a language? Is Markdown a language? So, Ravi, is REGO a language? I feel so It's a syntax or DSL I'll give you a credit, Rigo or REGO I agree Like as someone who transitioned from writing enterprise Java code I like writing Markdown and YAML So definitely, these are our languages All right So how would you combine policy as code with container image signing? So imagine that developer, right? That for them it's transparent if the image is signed or not Or what is even container image signing? So once our architect creates that signed base image The developer, now trying to deploy a code to Kubernetes environment First, they're trying to use something like an unsigned public base image And the policy checks and then it prevents It denies the image deployment But if they use a signed public base image The policy checks How does that's what we're going to see in the demo today But that image is approved and then they can deploy that image So for the developer, there's very little affection And that's what we want to do Whether it's a sysadmin or whether it's a DevOps team or architect You want to lower friction for developers You want to enforce security and policy But not too much friction for your engineering teams All right So our favorite demo time So I'll switch from this screen and I'll go to the demo So first, I'll explain a bit what we will see in the demo So in the demo, we'll see that So this is a typical Kubernetes deployment I'm using a harness platform as an example So we have a pipeline here Pipeline is a top-level concept at harness And each pipeline can have more than one stage So for example, we have one stage here Just a book deploy stage And each stage can have more than one step So at its simplicity, we can have just one step Which is let's say we'll do a basic Kubernetes rollout deployment And without any guardrails in place Without image verification in place Pretend that these two steps doesn't exist Your engineer can just deploy the image But we'll see how we can sign an image And then verify the image So first, we'll see it manually And then we'll see the automated action For that, I'll go to my terminal So hope you can see my terminal And here, I'll sign an image So before I sign an image, let me show you Where this image is coming from If you'd like to follow the entire tutorial My colleague will link this in a chat There is a tutorial that goes in depth About what we're doing There's a video if you want to watch this video But basically there's a public image For the popular guestbook app So I pull that image And then tagged this image into two of versions It's the same image So I'm basically tagging the same image Saying that one image is the dev edition And the other image is the prod edition And these two images I'll sign So let's do that right now So first, I'll sign the dev version of the image And I'll explain you what I'm doing So this is co-sign Which is one of the tools of the 6.0 project And I'm using the co-sign command Followed by the image And you see I'm using actually the image digest Which is more preferable over using the tag Which might be latest But you don't know which latest it is So that's why let me copy this one more time So I'm using a key less signing You can use both key based approach But in this case I'm using key less signing Because I didn't provide a key The default option is key less signing At the very end you'll see a flag dash A So this is an annotation I can just provide any key value pair here I'm seeing the nth equals dev And you'll see why I'm doing that Because I'll add a policy at the end for this Next is asking me that this is the 6.0 service And it's generating FML keys And it'll use the OYDC provider to verify I'll hit OY for yes And then it pops open this page The OOAuth link for 6.0.dev And it gives me some options How I want to authenticate I'll choose GitHub as the OYDC provider Once I click that It shows that my 6.0 authentication is successful So this is where I'm signing the image Let's say I come back to my terminal It says successfully verified It created an index And it pushes the signature to the Docker Hub My image registry So let's go to Docker Hub So this is my Docker Hub And this is my guest book dev image repository You'll see that I have the image Which is 0.1 So this is my image tag But there's something else If you see a few seconds ago There's a new tag Now this ends with .sig So this is the actual signature That was generated based on the signing we just did And I can do one more For the prod image So because I signed my dev image Let's now sign the prod image The same command cosine sign Followed by your image Act Use the image digest Rather than the image tag And then you can add the dash if For any annotation For KeyBit, KeyVelop here So once I do that The same opening of the 6.0 OYDC page And I'll use again GitHub And then it will validate And I can check now in my Docker Hub A guest book prod Repository And you'll see a few seconds ago This signature was generated for the 0.1 Now one thing I'll quickly show Because I tagged these two images From the same image The image show So if you see the image show For this image Which is the guest book prod Ends at 9975 And if I go back to my dev image Let's say go to 0.1 The image show 9975 So these two image shows are same This is a demo But for your case They will not be same Let's say for your dev environment If you generate an image And you deploy something to prod Those image show might be different So now that we signed this image Let's now do the verification We're not to verification in CICD yet Let's do the verification manually first So I'll use the cosine verify command And I'll explain all the different pieces of this command Let me clear off the screen Ravi is the font okay Or should I zoom in a bit Let's get I can see it Okay perfect So the command is cosine verify Followed by the image And this time I'm actually using the image Tank 0.1 Now there are two flags One is the certificate identity This is my email And followed by the certificate authority So OIDC issuer So in this case I'm using GitHub But you can use Hotmail Or GitLab And those would have different OIDC issuer The tutorial My colleague linked in the chat List all those different issuers So let's see the response of this command Gbrush Very difficult to understand what we're seeing But we can make it better Let's pipe it to JQ All right This is more human readable Okay so let's go through this So this response has two parts The first part says That your verification for this image Is done The cosine claims are validated And the existence of the claims In the transparency log We're not covering transparency log in this top But then the second part is actually adjacent part Which has a critical part and an optional part So within critical it shows the identity It shows this is where the image is coming from The actual image repository And the image digest And you can see how You can parse these different parts of this response To enforce policy That's exactly what we'll do So now that we see how we can do it manually Let's automate that So I'll now switch to the CICD pipeline So here my pipeline Guestbook deploy stage has three steps Before I actually deploy my image I added two steps One step to verify the image So this is the cosine verify step So this is the shell script step And I'll zoom in a bit And I'll explain what we're doing in this step The first is in the CICD environment And installing the tool The cosine tool So these are the first three lines The line number five That gets the response from the cosine verify command So in this command I'm running the command here The command we ran by cosine verify For the guestbook dev image I'm running that And then I'm parsing different pieces of the output Next The output variables are limited to this particular step But I want to use it in the next step And that's where I use something called script output variables And I'm mapping each script output variable to the output variable The next step I have is the policy enforcements So before I add this step I'll show you the policies first So I have two policies One is to check the environment And the other is to check the image digest So let's go forward in the check environment policy If you have used Open Policy Agent It should be very familiar But even if you haven't used Open Policy Agent before This should make sense Similar to any programming language You have a package So there's a package main And I have a deny policy If the environment input.nf is not there And we have a handy tool called Ada with Inherence Platform So let's say if you need any help You can ask generate A policy To allow Or to deny Deployment To any environment Except That's right Let's see So Ada will actually generate policies for you And you can fine tune how you want these policies All right So let's look at the next policy Next is the check image digest Very similar concept We have a deny If the input digest doesn't match this So I already showed you before The image digest ending at 9975 So both the dev image and the prod image would have this So now I go to my pipeline And I'll run this pipeline Remember because I'm using the dev image All these two policies Should pass Because the image digest matches and the environment matches I'll go ahead and run this pipeline It's checking the infrastructure The resource constraint And the course sign verify step is running If you see here, I'm getting the output It went very fast And then the policy enforcement step Passed as well And the rollout deployment already started While the rollout deployment taking place I'll open this policy and you'll see that Each policy has to be part of a policy set It shows how both policy checks were passed And if I want to show you a negative case I'll quickly edit the pipeline I'll go here Within the course sign verify Of course in an actual pipeline You'll have this as an environment variable So that as the actual manifest for your application And also the check comes from some sort of template But I'll cheat and I'll do hard code right here So let's say the dev image I change it to fraud Let's do that And then I'll click apply changes I'll hit save and I'll hit run one more time Let's run this pipeline So this time the image digest policy should pass Because it's still the same image digest However The environment policy Check environment policy should not pass So let's see All right So we see here The image digest is a success But the check environment Let's dive in a bit You see that this one failed the check environment And it even shows you You said any environment input dot end If it's not there I'm going to fail And then the response that comes from this First step says that the end is fraud So this is how we can combine A tool like cosine For verifying my signature And a general purpose policy engine Like open policy agent But harness has software supply chain assurance SSCA That has fine tuner support For signing and verifying signatures With cosine My colleague will add a link in the chat So I know there is a ton of information To consume in such a short time But there are two links For resources One is a tutorial where there's hands on instructions And also there's a blog If you want you can scan the QR code Or type in the link If you have any questions My colleague will also add a link to a harness community slack Where we're more than happy to answer your questions Rami, I'd like to pass it back to you To see if there are any questions in the chat Or anything you want to add No, I think that was very informative And thanks for going through that demo You and I learned a few things about signatures In this webinar And so I don't really see any questions on there Awesome You, for the folks who are watching this Or who are watching it live Those two particular links right there Are the best for those in the chat I'll send them out really quickly I'll send out the tutorial one I'll send out the blog one super quickly I was looking for it Let's see And I'll add the software supply chain Blog as well So if there are no questions One question that I had is If my company has private registries And everything is more like internal Why do we need to worry about image signing? And the answer to that is The whole link of your software supply chain You just need one weak link to cause havoc So for example If your software developer is building code And then pushing an image And then someone is using that image It really doesn't matter whether you're using public registry Or a private registry If you use something like container image signing It reduces the risk of your entire software supply chain Because you just need one weak link To add vulnerability to your software That your end customers are using So I think that's one of the reasons That large corporations Even if they have things behind firewall Within their own private network They still use the practice Of signing their container images And then verifying it Well, we have one question And we can answer that So a member asked For example, if you're in our deny case Or the filler case The payload output can be kind of verbose It's hard to see why there's a denial So how OPA works It's like OPA is usually on a protocol On HTTP or TCP It's like you're getting the request information And yes, in the request Will be more information that you need When OPA or Rego parses it down And so the rule should be The rule would be is correct Like, hey, if you understand how the rule was set up You'll understand how the deny is And also from a proper manager standpoint The rules would be kind of like set by Let's say a central team And you'll be able to look out for the output Or the condition that caused that rule to fail And so I understood, yes Like the payload you're getting More information than probably you would need But also it's like the backing proof Right, like, hey, this is the request Or the payload information would cause it So that's a good question Great, thanks for the question And yeah, look us up on LinkedIn and Twitter We do appreciate if you connect us on those platforms And if you have further questions Feel free to ask us there I think if you don't have any more questions It's time to pass it back to Candice Thank you so much to Wan and Ravi for your time today And thank you everyone for joining us As a reminder, this recording will be on the Linux Foundation's YouTube page later today We hope you join us for future webinars Have a wonderful day