Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
firesteelrain 5 days ago

ChainGuard is $$$$$$$

We talked to them a couple years ago. A lot of what they are doing besides Wolfi is using Alpine which removes alot of findings by default

progbits 5 days ago | parent | next [-]

Alpine helps but it's not perfect. Plenty of outdated packages with known CVEs there for long time.

Often they are not exploitable but it's easier to pay chainguard to have a constant zero on our vuln scanner than to deal with distroless builds ourselves.

The GPU images are indeed very expensive though.

firesteelrain 5 days ago | parent [-]

I get it but the likelihood those vulns are exploitable in your environment is dubious. It’s a lot of compliance theater. Defense in depth

progbits 5 days ago | parent | next [-]

I agree, but I'm not spending my time arguing with PCI auditors.

Also it's safer from supply chain attacks. Malware inserted via compromised docker hub tokens is a growing threat.

firesteelrain 5 days ago | parent | next [-]

Right, I deal with NIST 800-53 based things where we have heavy albeit manual auditing. We pull from Iron Bank mostly but also employ Nexus Firewall. People can’t pull direct Docker Hub.

password4321 4 days ago | parent [-]

Yes, if you need someone else to work on securing your Docker base images for free, you can get more info about the US Air Force Platform One IronBank at https://docs-ironbank.dso.mil/faq

> Currently there is no cost to contributors or users for Iron Bank. It is a service currently funded by the US Department of Defense.

You can poke around for their public Dockerfile's to build yourself at https://repo1.dso.mil/explore (for example: https://repo1.dso.mil/dsop/opensource/debian/debian12.x/debi...) but to do much useful you'll need an account.

Another organization in Platform One, Big Bang uses IronBank containers to implement a reference DevSecOps CI/CD architecture; I mention them because they maintain a mirror at https://github.com/DoD-Platform-One/bigbang

mdaniel 4 days ago | parent [-]

A reference CI/CD architecture with a 2466 line helm values.yaml, whew <https://github.com/DoD-Platform-One/bigbang/blob/3.5.1/chart...>

I have no idea who would win in a fight between people with literal guns and IBM's legal team <https://repo1.dso.mil/big-bang/product/packages/vault/-/blob...> vs <https://github.com/hashicorp/vault/blob/v1.20.2/LICENSE>. I guess to their credit, they do say at the top "licensing is complicated" but then go on to cite the old actual open source license that no longer applies https://github.com/DoD-Platform-One/bigbang/blob/3.5.1/docs/...

cmckn 5 days ago | parent | prev [-]

Constantly updating to the latest version of innumerable software projects is safer from supply chain attacks? :)

My experience has been that the cost of “patching” is often bugs and instability, having gained nothing security-wise.

5 days ago | parent | prev [-]
[deleted]
Sparkle-san 5 days ago | parent | prev | next [-]

For what it's worth, their pricing has decreased substantially over the last year. Their most recent quote to us was about 25% of the one we received a year or so ago.

progbits 4 days ago | parent [-]

For some more transparency, we pay ~$9k/year per image (all versions/variants) for some basic images (think python, golang etc). The ones with cuda drivers are more expensive but I don't have the exact prices on hand.

AsmodiusVI 4 days ago | parent | prev [-]

Docker isn’t nearly the same $$$. Their catalog is growing.

firesteelrain 4 days ago | parent [-]

Docker doesn’t have hardened / zero CVE containers

bluecard 3 days ago | parent [-]

They do