Software Bill of Materials (SBOM)s are no longer optional. If we really want the applications we run in containers to be secure, we need to know what’s inside. To make that easier, Codenotary, a leading software supply chain security company, is launching its new SBOM operator for Kubernetes in both its open-source Community Attestation Service and its flagship service, Codenotary’s Trustcenter.
An SBOM (pronounced: S-Bomb) is a record of the details and chain relationships of the components used in building software. Since most programs today are created by merging existing open-source and commercial software components, it is essential to know the name and specific versions of each of these elements. For example, a program using Apache Log4j2 version 2.17.0 is vulnerable to Log4Shell attacks. One that uses Log4j2 2.17.1 or newer is as safe as houses.
Now you could manually check that and thousands of other potential vulnerabilities, or you could turn to a service like Codenotary’s new offering. I know which one I would choose.
The SBOM operator for Kubernetes reduces the risk of attacks on the software supply chain by tracking all software and software dependencies in Kubernetes. It does this by generating SBOMs of your active container images and keeping up-to-date records of all builds and dependencies. SBOM Operator builds its SBOMs using the open-source project Syft. When a new vulnerability pops up — and trust me, there will be — it lets you know that it’s time to create a fix when dangerous or vulnerable artifacts are detected.
To keep this working properly, Codenotary continuously updates its SBOM records. This data is kept in the open-source fast, immutable database, Immudb. This is a tamper-proof, auditable, trustless database. The container image files are kept in a Git repository.
Codenotary claims that this information is readily available to search. This will help you locate the software artifacts in your code in seconds. The program also keeps a history of verified changes to the image content.
“On its own, the SBOM isn’t very useful without being continuously updated and maintained, as the information becomes outdated with every new implementation or update,” said Dennis Zimmer, co-founder and CTO of Codenotary. “Now users know exactly what’s running in containers, with the most up-to-date information, so they can immediately fix something if needed.”
SBOM Operator’s lead programmer, Christian Kotzbauer, said: “I am excited to contribute to the wider adoption and use of SBOMs with the Codenotary integration in my Kubernetes operator, especially the additional security, timestamp and search capabilities in the infrastructure. were key to the development’s extension.
This is another step forward in Codenotary’s efforts to provide comprehensive tools for cataloging and securing the software development lifecycle. The programs and services, both free and paid, deserve the attention of Kubernetes developers.