"E2E-Testing" - recommended complementary use with other tools?

[manuschillerdev]

I am wondering how dockle might complement other tools, or in which cases it might be redundant.

I am wondering explicitly about hadolint, dockle, and trivy. To my understanding, the tools should tackle different use-cases and can be used complementary:

• hadolint: Containerfile linting (best-practices for Containerfiles, shellcheck)
• dockle: Containerimage testing (CIS, best-practices for Containerimages)
• trivy: Containerimage testing (CVEs)

Just for context and slightly offtopic - are there any examples for complete Dev-Sec-Ops-Processes? I'd like to evaluate the following approach and I am wondering if I understood the use-case for dockle correctly.

• Local DEV machine: IDE or pre-commit hook Containerfile → hadolint
• CI (trigger: commit/merge):
  • hadolint: (lint Dockerfile to guard against git commit --no-verify)
  • kaniko: Build the image - keep locally as tar
  • dockle:
  • Testing the image (best-practices and CIS)
  • Create and attach SARIF
  • trivy with trivy-plugin-referrer:
  • Analyze CVEs
  • Create and attach SARIF (CVEs)
  • Create and attach SBOM
  • crane: tool does not really matter - anything that can push to the registry
  • cosign sign OCI-artifact with attached SARIFs/SBOMS
• Kubernetes
  • Before scheduling the container: policies Kyverno or OPA
    • Check for unwanted licences in SBOM
    • Check CVEs and dockle results
  • On running containers
  • Not too experienced with this personally, but maybe a solution like cilium + tetragon?

[tomoyamachi]

@manuschillerdev Your understanding is correct!