SOSS Fusion 2024

Software supply chain security is more important than ever. Yet maintaining secure container images is challenging, because patch options can be limited: wait impatiently for third-party image updates to be released, especially for images with multi-publisher dependencies, or perform your own full image rebuild, a time and resource-intensive process. Project Copacetic (Copa) reduces turnaround time and complexity for image patching. Copa integrates into existing build infrastructure, giving users greater control over their patching timeline while reducing costs. Using image scanners like Trivy, Copa generates a vulnerability report and identifies necessary OS-level package updates. Copa then updates your target image using Buildkit (Docker’s default builder) by creating a new patch layer on the original image. Copa can even patch distroless images. We’ll demo Copa, including how to integrate it into pipelines, extend its functionality with scanner formats, and exclude scanners to update all outdated packages. You’ll leave ready to keep your images secure. As a newly accepted CNCF sandbox project, Copa invites you to join the community and advance your software security!