Container Supply Chain Security: The Practitioner's Journey 

Course & Training

Step-by-step securing of the container supply chain: From chaos to cryptographically verifiable trust in four practical levels.

This two-day workshop guides developers through securing the container supply chain – not with theoretical frameworks, but through a hands-on journey: from an uncontrolled status quo through transparency and control to cryptographically verifiable trust. Each level builds on the previous one and delivers immediate, usable value.

In-House Course:

We are happy to conduct tailored courses for your team - on-site, remotely or in our course rooms.

Request In-House Course

   

Content:


The workshop follows an incremental approach, inspired by the Agile Manifesto: Working Protection over Comprehensive Documentation, Incremental Hardening over Big-Bang Security, Developer Experience over Security Theater, Automated Verification over Manual Audits.

Participants progress through four levels, each building on the previous one. After each level, they have a functional setup with immediate value. The workshop addresses real attack vectors of the software supply chain: compromised dependencies, manipulated build pipelines, insecure package repositories.

Day 1: See, Understand, Control

– Level 0 to Level 1: Visibility ("I see what happens"):
... - Threat landscape: SLSA vectors and real-world attacks
... - Toolbox overview: Harbor, Kyverno, Cosign, Slim, Copacetic
... - Harbor basics: Pull/push, project structure, vulnerability reports
... - Consuming 3rd party images: Harbor proxy cache for DockerHub/GHCR
... - Image insights with Slim: xray and appbom on 3rd party images
... - Outcome: Own and 3rd party images flow through central registry, vulnerabilities are visible

– Level 1 to Level 2: Control ("I determine what is allowed"):
... - 3rd party risks: Typosquatting, malicious images, abandoned packages
... - Kyverno registry allowlist: Only Harbor proxy allowed, direct pull blocked
... - Verifying 3rd party signatures: cosign verify on official images
... - Generating SBOMs: Syft locally and in CI
... - Consuming upstream SBOMs: Find and read upstream SBOMs
... - SBOM policy: Kyverno blocks images without SBOM
... - Outcome: Direct pulls blocked, only signed/known upstreams allowed, SBOM requirement enforced

Day 2: Prove, Patch, Respond

– Level 2 to Level 3: Trust ("I can prove it"):
... - Signing and attestations: Cosign, keyless, SLSA provenance
... - Signing images: Cosign keyless with GitHub/GitLab OIDC
... - Verifying signatures: cosign verify, Rekor transparency log
... - Kyverno signature policy: Only signed images deploy
... - SLSA provenance: Generate and verify attestations
... - Outcome: Every image is signed, build provenance is attested

– Level 3 to Level 4: Resilience ("I can respond"):
... - Cyber Resilience Act: Requirements, timeline, impact
... - Patching strategies: Rebuild vs. patch-in-place
... - Copacetic: Patch vulnerable base image and re-sign
... - Outlook: SBoB and runtime with Falco
... - Full pipeline: Build, scan, patch, sign, SBOM, deploy
... - Checklist and next steps
... - Outcome: Independent CVE response, complete pipeline operational

You will not only get to know these concepts, but also implement them in practice.


Disclaimer: The actual course content may vary from the above, depending on the trainer, implementation, duration and constellation of participants.

Whether we call it training, course, workshop or seminar, we want to pick up participants at their point and equip them with the necessary practical knowledge so that they can apply the technology directly after the training and deepen it independently.

Goal:

After the workshop, participants will be able to use Harbor productively as a developer and interpret vulnerability reports, analyze the contents of any container image, generate, attach, and consume SBOMs, sign container images with Cosign (keyless and key-based), verify signatures and attestations of 3rd party images, understand Kyverno policies and debug errors, patch vulnerable upstream images with Copacetic, implement a complete secure supply chain pipeline, and understand the requirements of the Cyber Resilience Act.


Duration:

 2 Days (Is individually adapted for in-house courses.)


Form:

The workshop follows a proven mix of explanation (40% theory) and practical exercises (60% hands-on labs). You will be accompanied by an experienced trainer who will answer your questions and ensure that you have a functional setup after each level.


Target Audience:

The workshop is aimed at developers and DevOps engineers who deploy container-based applications on Kubernetes. Security specialization is not required; interest in operational security responsibility is expected.


Requirements:

Practical experience with Docker and container images.
Basic Kubernetes knowledge (Deployments, Pods, kubectl).
Access to GitHub or GitLab for CI pipeline labs.
Own laptop with Docker and kubectl.


Preparation:

Every participant will receive a questionnaire and a preparation checklist after registration. We provide a comprehensive laboratory environment for each participant, so that all participants can directly implement their own experiments and even complex scenarios.

Request In-House Course:

In-House Kurs Anfragen

Waitinglist for public course:

Sign up for the waiting list for more public course dates. Once we have enough people on the waiting list, we will determine a date that suits everyone as much as possible and schedule a new session. If you want to participate directly with two colleagues, we can even plan a public course specifically for you.

Waiting List Request

(If you already have 3 or more participants, we will discuss your preferred date directly with you and announce the course.)

More about Container Supply Chain Security



Container Supply Chain Security deals with securing all components and processes in the container-based software delivery pipeline. From development through build pipelines to production, trust, transparency, and traceability must be ensured. The SLSA Framework provides a structured approach to implementing supply chain security at different levels.




History


Container Supply Chain Security gained significant importance after high-profile attacks like SolarWinds (2020) and the compromise of container registries. These incidents demonstrated how attackers could compromise trusted software components.


In response, organizations like Google, the Linux Foundation, and the CNCF developed frameworks and tools to improve supply chain security. The SLSA Framework, Sigstore (with Cosign and Rekor), and Harbor emerged from the need to create standardized, scalable solutions. Dan Lorenc and the Sigstore team revolutionized code signing with keyless signing.


Today, container supply chain security is a central component of modern DevSecOps practices and is being further driven by regulations like the EU Cyber Resilience Act. Tools like Kyverno, Copacetic, and Slim enable developers to take security responsibility without compromising developer experience. The focus is shifting from manual audits to automated verification and from big-bang security to incremental hardening.