[Verse 1] When you need containers that are battle-tested and clean Iron Bank at repo one D-S-O dot mil is the scene Hardened images waiting with approval process tight Every base is vetted through security's keen sight But when pre-built won't cut it and custom's what you need Build from hardened foundations, that's the golden creed [Chorus] Sign and verify, scan and deny SBOM tells us what's inside Gates that guard before deploy Container security we can't avoid Iron Bank, custom build, sign the deal Scan for flaws, gates enforce, keep it real [Verse 2] Cosign and Notary version two will mark your way Digital signatures prove your images are okay Software Bill of Materials in SPDX we trust CycloneDX format showing every bit of rust Generate and consume these lists of every part Transparency in components is security's art [Chorus] Sign and verify, scan and deny SBOM tells us what's inside Gates that guard before deploy Container security we can't avoid Iron Bank, custom build, sign the deal Scan for flaws, gates enforce, keep it real [Bridge] Trivy scans the layers deep Grype finds the flaws that creep Anchore guards the CI-CD way Catching vulns before they play O-P-A Gatekeeper stands so tall Kyverno answers policy's call [Verse 3] In your pipeline integration vulnerability scanning flows Trivy Grype and Anchore catch the threats nobody knows At deploy time admission controllers take their stand Gatekeeper and Kyverno with policies so grand Image policies enforced before the pods can start Security woven deep into DevOps beating heart [Chorus] Sign and verify, scan and deny SBOM tells us what's inside Gates that guard before deploy Container security we can't avoid Iron Bank, custom build, sign the deal Scan for flaws, gates enforce, keep it real [Outro] From Iron Bank to custom builds Through scanning tools and policy shields Container supply chain locked down tight Security done right
← 5 FedRAMP and Cloud Authorization | 1 System Security Plan (SSP) →