Watch this talk on YouTube: https://youtu.be/-3K74I7t7CQ Securing the Software Supply Chain has become a focus of cybersecurity efforts the world over. One aspect of this is with the generation and verification of a Software Bill of Materials (SBOM). But what is an SBOM and how would you go about setting this up for your cloud native container/applications/pipeline? The Flux team recently published a blog on this very topic and how they’ve gone about implementing these measures. During this session, Dan Luhring, OSS Engineering Manager at Anchore, will dive into SBOMs - what they are, why you need them, some common use cases and how to get your pipeline ready for SBOM generation and verification using the Flux SBOM as an example. Resources Anchore: A comprehensive, continuous security and compliance platform to protect your cloud-native applications. Anchore’s OSS tools featured during this session: - Syft: A CLI tool for generating a Software Bill of Materials (SBOM) from container images and file systems - Grype: An easy-to-integrate open source vulnerability scanning tool for container images and file systems. Speaker Bios: Dan Luhring heads up OSS at Anchore, where he leads the software engineering team that develops Syft and Grype. Dan is drawn deeply into the cloud native security space, where he focuses on container workflows and developer experience. Dan believes in making software more secure by making life better for software engineers and security practitioners. Dan is a maintainer of Sigstore’s Cosign project, and he loves partnering with other people to find solutions to daunting challenges. Priyanka (aka “Pinky”) is a Developer Experience Engineer at Weaveworks. She has worked on a multitude of topics including front end development, UI automation for testing and API development. Previously she was a software developer at State Farm where she was on the delivery engineering team working on GitOps enablement. She was instrumental in the multi-tenancy migration to utilize Flux for an internal Kubernetes offering. Outside of work, Priyanka enjoys hanging out with her husband and two rescue dogs as well as traveling around the globe.

1. 1
March 24, 2022
Security: The Value of SBOMs
Dan Luhring, OSS Engineering Mgr, Anchore
Brady Todhunter, Lead DevOps Eng, Anchore
Priyanka “Pinky” Ravi, DX Engineer, Weaveworks
Stacey Potter, Community Manager, Weaveworks

2. 2
Weaveworks is founded on open source
● Flux & Flagger (CNCF): GitOps and Progressive Delivery for k8s
● Cortex (CNCF): Distributed, Long-term-storage TSDB compatible with
Prometheus
● Weave Ignite: VMs with container UX & built-in GitOps management
● EKSctl: Create an Amazon EKS cluster with one command
● (and many many more projects!)
And now … Weave GitOps!
weave.works

3. 3
Speakers Help/Support
Dan Luhring
OSS Engineering Mgr
Anchore
Brady Todhunter
Lead DevOps Eng.
Anchore
Priyanka Ravi
DX Engineer
Weaveworks
Stacey Potter
Community Manager
Weaveworks
Browser
Safari copy/paste
shortcuts may not work
Using Zoom
Questions?
• Use chat (button: top
left corner of screen)
• Escape to exit full
screen
• “To Everyone” or “To
all panelists and
attendees”
Support:
https://support.zoom.us/hc/
en-us/articles/206175806-T
op-Questions
Troubleshooting
Use chat
If the issue is not easily resolved,
we ask that you follow along as
we demo the sample app.
Security: The Value of SBOMs Duration
30-60 Minutes

4. 4
● GitOps is an app dev and operations methodology
● GitOps is a methodology, not a specific tool or
technology.
● GitOps applies to everything
and brings business value.
What is GitOps?...and why do I want it?

5. 5
Source: opengitops.dev

6. 6
👋 Get Connected 💬 🤝
● ⭐ Star us on GitHub ⭐
● Check out the Flux docs at: fluxcd.io/docs/get-started/
● GitHub Discussions Q&A:
https://github.com/fluxcd/flux2/discussions/categories/q-a
● CNCF Slack #Flux channel (or get a slack invite)

7. 7
Mar 29: OpenSource101: WTF is GitOps & Why Should you Care?
Mar 30: From Zero to GitOps Heroes!
Mar 31: GitOps for Helm Users!
May 16-20: Flux Booth at KubeCon!
June 8-9: GitOps Days 2022! (gitopsdays.com)
Upcoming Events

8. 8
Talk & Demo Time!

9. Dan Luhring
Manager of Open Source Engineering, Anchore
luhring
danluhring
dan.luhring@anchore.com

10. What’s an SBOM?

11. Software bill of materials (“SBOM”)
● A “list of ingredients” for a software artifact
● Exposes what software is made up of
● Several different uses…
■ Vulnerability scanning
■ Software transparency
■ Policy

12. What is Anchore, Syft, Grype?

13. Anchore
Forging the Future of Software Security.
Anchore is creating a more secure software supply chain for
priceless peace of mind.

14. Anchore’s Open Source Tools
Developer-friendly scanning tools for container image security

15. The story of SBOMs at Flux
Cloud Native Computing Foundation (CNCF)
The Cloud Native Computing Foundation (CNCF) is an open source software foundation that promotes the
adoption of cloud-native computing.
Maturity Levels: Sandbox ➡ Incubating ➡ Graduation
CNCF projects have a maturity level of sandbox, incubating, or graduated, which corresponds to the
Innovators, Early Adopters, and Early Majority tiers of the Crossing the Chasm diagram. The maturity
level is a signal by CNCF as to what sorts of enterprises should be adopting different projects.
July 2019: Flux joins CNCF as a Sandbox Project 🏜 ⌛ 🏝
July 2020: Flux was one of only two projects in the ‘adopt’ category of CNCF CD Tech Radar 📡 ⚙ 💻
March 2021: Flux goes from Sandbox to Incubation 🥚 ⏲
November 2021: Flux Security Audit concludes in preparation for Graduation application 📄 📝
March 2022: Flux applies for Graduation 🤞🤞 🎉 🎓 🎉 🎓 🎉 🎓 🤞🤞

16. Here’s how Flux did it!
Initialize artifact
.goreleaser.yml

17. Here’s how Flux did it!
Install Syft

18. Here’s how Flux did it!
Generate release artifacts
Create release and SBOM

19. Syft, Grype, & Syft+Grype

20. Flux @ Anchore!

21. Flux at Anchore
How we use Flux:
● We manage 2 clusters using Flux
● Environments are set up differently
● Image Automation
What I love about Flux:
● Developer empowerment
● Flexibility in deployments
● Source of truth for deployments
● Uses native kubernetes mechanisms