Session Description

Container scanning in CI/CD pipelines is not new, but getting real value from the scan remains difficult. Interpreting results and understanding CVEs and vulnerability sources also presents a challenge and requires significant time. With containers coming from many teams and sources, the variance in quality and types of problems can be large. As a result, scanning may be relegated to a checkbox item, or even worse, it becomes a source of noise and distraction without any real security benefits. Zach Hill of Anchore Inc. has faced many of the common challenges that come with container scanning through his work building an open source container scanner and implementing it in enterprise and government pipelines. In this session, he will share these insights he has learned and pitfalls to avoid, so attendees can gain confidence and perform better deployments. Attendees will come away with an understanding of what to watch for, how to avoid common mistakes and how to use your CD pipelines to improve the security of your deployments.