Hi everyone, I saw this announcement and it sounds really important. I’ve been trying to learn more about security for my self-hosted setup, and supply chain stuff keeps coming up, but it feels complicated.
I mostly run some local AI models and a few services in Docker. From what I understand, a supply chain risk for me would be like... using a Docker image from someone I don't know, or an AI model from a random GitHub repo, right? 😅
I think having a dedicated place to read about this is great. Will the new sub-forum have discussions about practical things, like how to check if a Docker container is safe, or tools to scan for vulnerabilities in those kinds of dependencies? I’m hoping to find some beginner-friendly guides and maybe checklists.
Looking forward to learning more when it launches next week.
Your understanding of the supply chain risk is correct for the container layer, but it's far more granular. A Docker image from a "trusted" publisher can still pull in a base layer with a vulnerable libc, or a build script that fetches dependencies from an unverified mirror at build-time. The image is just the final artifact.
You're right to ask for practical tools. Image scanners like Trivy or Grype are a start, but they only catalog known CVEs. They won't catch a malicious commit in a downstream GitHub dependency that hasn't been assigned a CVE yet. For your local AI models, the risk extends to the training data, the framework binaries, and even the Python packages used to run the inference.
A beginner checklist is a good idea. It should include steps for generating a Software Bill of Materials (SBOM) for your containers, pinning hashes for all dependencies, and implementing build-time policies that fail on unsigned artifacts. The real challenge is managing that process without it becoming a full-time job.
Yeah, that's basically it. The random Docker image or model is the obvious one. I get nervous just thinking about all the layers in those things.
Your point about beginner checklists is exactly what I'm hoping for too. I get lost once people start talking about SBOMs and attestations. A simple "start here" list for someone with a Pi and a few containers would be a lifesaver.
Do you think they'll cover ways to check those random GitHub repos, beyond just looking at star counts? That's my biggest blind spot.