12May
Container Vulnerability Management for non-dev-organizations
Is there a good best practice for container vulnerability management when you are not a dev shop?
I am currently trying to figure out how to set up a proper supply chain risk management system for a company that only consumes docker images as a standard deployment model but does not have any inhouse dev capabilities.
To manage that properly, as a dev org, you would pull the Dockerfile for your base image and build the image yourself, including vulnerability scanning, SCA and SAST. This image is stored in your own registry and you use that image as the base image.
Is there any other way that does not include running your own registry, rebuilding all images on your own and deploying these?
