Containerizing Java applications is easy. Containerizing them securely is not.

In this session, we'll explore how to strengthen your Java Docker builds with Software Bill of Materials (SBOMs) and registry attestations. Instead of generating a single SBOM at the end, you'll see how to extract SBOMs at every stage of a multi-stage build, catching vulnerabilities that would otherwise slip through.

We'll cover:
- Why SBOMs are critical for modern Java applications
- How to integrate SBOM generation directly into Docker builds
- Use Docker Bake to make it delicious
- Pushing SBOMs as attestations to your registry for supply-chain visibility
- Use hardened images to make it easier
- Asking Johnny Cage to sign the images and their SBOM attestations

Live demo: Containerizing a Spring Boot app with security built in