Typically, when we talk about security in containerised workloads, we mostly mean the runtime security. Occasionally, in-registry scanning of components and libraries for known vulnerabilities is brought into the discussion. But what about build time? What if a malicious actor compromised your CI? What if a rogue image is deployed, bypassing all the steps in your CD? And wouldn't it be better if developers didn't use vulnerable libraries in the first place?

All of these questions prompted Google Cloud to develop a set of tools known under the umbrella term "Secure Supply Chain". These have various scanning, verification, and cryptographic assurance services seamlessly integrated into GCP's CI/CD patterns for GKE (Google Kubernetes Engine) and Cloud Run. It all looks great, but it is a) a lot b) assuming that you use all of the GCP tools to manage your entire software lifecycle.

But what does it mean in practical terms? In this talk, let's look at specific services and their implementation "in the wild". You will learn how to set up Binary Authorization in an enterprise environment, how to enable and make use of built-in scanning capabilities of GKE and the Artifact Registry, and how to manage the security posture of your Kubernetes and Cloud Run deployments.

You can find some of my recorded talks here: https://www.youtube.com/playlist?list=PLS3g1K3mnmajt5Eu3nNaAiMK3hXjVRRNL This is a new talk, it will be purely technical and go through details of configuration for parts of the Secure Supply Chain and their integration with CI/CD (probably Github Actions), GKE Security Posture dashboard and real-life applications of these security tools.