banner
LightNews
adrianmouat.com
Adrian Mouat
@adrianmouat.com
930 followers 430 following 430 posts
Technical community advocate at Chainguard. Bad guitarist. He/him.
Posts Media Videos Starter Packs
Pinned
adrianmouat.com
Adrian Mouat @adrianmouat.com · Apr 11
Want to see how secure your container images are? Try out the CHPs scorer. Here's a run on an example Python project that's pretty typical of what you find in the wild.
1 1 1
adrianmouat.com
Adrian Mouat @adrianmouat.com · 14h
Yeah, that makes sense. I guess you have to caveat that action from that repo will pass verification, but that seems reasonable.
adrianmouat.com
Adrian Mouat @adrianmouat.com · 15h
You should be able to pull the needed value out of the cert e.g:

cosign download signature cgr.dev/chainguard/python:latest | jq '.Cert.URIs[0].Path'
python Container Image Versions | Chainguard
View python Container Image Versions information for the python image.
cgr.dev
1
adrianmouat.com
Adrian Mouat @adrianmouat.com · 16h
There's some stuff here, including an example of the identity flag edu.chainguard.dev/open-source/...
How to Verify File Signatures with Cosign
Use Cosign to verify non-container software artifacts
edu.chainguard.dev
1
adrianmouat.com
Adrian Mouat @adrianmouat.com · 17h
Yeah, exactly. You can provide a regex, but that's a different flag. Otherwise it basically needs to be the identity of the GitHub action that did the signing. Let me look for an example.
1
adrianmouat.com
Adrian Mouat @adrianmouat.com · 17h
Tickets are going pretty fast, so I'd recommend getting one now if you're planning on going. Use this link for a small discount:

Kubernetes Community Days UK - Edinburgh 2025 | CNCF
In-person Event - Kubernetes Community Days UK - Edinburgh 2025
community.cncf.io
adrianmouat.com
Adrian Mouat @adrianmouat.com · 17h
You do have to put up with me talking about supply chain security, but I'm really blown away by the quality of speakers we have this year. Keynotes include @lizrice.com  @mt165.co.uk , @hannahfoxwell.net  @lianmakesthings.bsky.social , @mccune.org.uk  and @wiggitywhitney.bsky.social .
1 1 6
adrianmouat.com
Adrian Mouat @adrianmouat.com · 17h
We are getting really close to KCDUK in Edinburgh now (under two weeks!).

Kubernetes Community Days UK - Edinburgh 2025 | CNCF
In-person Event - Kubernetes Community Days UK - Edinburgh 2025
kcduk.io
1 2
adrianmouat.com
Adrian Mouat @adrianmouat.com · 1d
I'm hugely support of this, but I don't see how some of it will work -- if money and "tiers" is the problem, why wasn't this done before? I think disparate, non-profit orgs will find it difficult to run a commercial operation.

Am I missing something?
adrianmouat.com
Adrian Mouat @adrianmouat.com · 1d
The OpenSSF released a blog calling for change:
Open Infrastructure is Not Free: A Joint Statement on Sustainable Stewardship – Open Source Security Foundation
An Open Letter from the Stewards of Public Open Source Infrastructure Over the past two decades, open source has revolutionized the way software is developed. Every modern application, whether written in Java, JavaScript, Python, Rust, PHP, or beyond, depends on public package registries like Maven...
tinyurl.com
1
adrianmouat.com
Adrian Mouat @adrianmouat.com · 1d
One of the biggest problems in tech right now is the exploitation of Open Source. At the pointy end of this is are the package repositories like Maven, NPM, PyPI etc -- who are all run as a public good but have found themselves at the heart of supply-chain hacks.
1
adrianmouat.com
Adrian Mouat @adrianmouat.com · 2d
@erikaheidi.bsky.social and myself wrote up this tutorial to get you started:
Build Java Containers with Jib
In this tutorial, you'll learn how to build minimal Java containers using Jib and Chainguard base images
tinyurl.com
2
adrianmouat.com
Adrian Mouat @adrianmouat.com · 2d
If you're building Java applications into containers, make sure you check out the Jib project. Jib lets you build and push containers directly from maven/gradle, without even needing the Docker daemon to be present.

GitHub - GoogleContainerTools/jib: 🏗 Build container images for your Java applications.
🏗 Build container images for your Java applications. - GoogleContainerTools/jib
github.com
1 1 5
Reposted by Adrian Mouat
mccune.org.uk
Rory McCune @mccune.org.uk · 3d
Calling all Kubernetes security interested folk. We're planning the next version of the OWASP Kubernetes Top 10, and have a survey to solicit ideas and feedback here docs.google.com/forms/d/e/1F... . Shouldn't take more than a couple of minutes to fill out and all feedback's welcome!
OWASP Kubernetes Top 10 2025 Survey
We're looking to update the OWASP Kubernetes Top 10 and as such want to canvas ideas on what should be included. The goal of the Top 10 is to provide awareness on the most serious risks that Kubernet...
docs.google.com
7 5
adrianmouat.com
Adrian Mouat @adrianmouat.com · 3d
If you are impacted by the changes to Bitnami Helm Charts, please check out my new video on migrating to @chainguard.dev  Helm Charts. 

I hope this helps some of you! Note that Helm Charts are available to our paid subscribers only. 

Enjoy the videos and music that you love, upload original content and share it all with friends, family and the world on YouTube.
tinyurl.com
adrianmouat.com
Adrian Mouat @adrianmouat.com · 4d
Boy. Yeah, you can even get pee cone things. He's a year now though so it seems almost intentional 😅
adrianmouat.com
Adrian Mouat @adrianmouat.com · 5d
You know how squids squirt ink when they feel threatened? My 1 yo seems to feel peeing is the appropriate response to a nappy change.
1 5
adrianmouat.com
Adrian Mouat @adrianmouat.com · 6d
Here's the slides from my @gotocon.com  Copenhagen talk "Supply Chain Security and the Real World:
Lessons from Incidents".

I hope you enjoyed it if you caught it earlier today! 
 
Attendee Copy GOTOCph Supply Chain Security and the Real World
1
tinyurl.com
2 5
Reposted by Adrian Mouat
richi.bsky.social
Richi Jennings @richi.bsky.social · 6d
#Japan​’s biggest producer of beer is still not producing any beer this week. #Asahi Group Holdings shut down production Monday after detecting a cyber intruder.

And today it’s confirmed fears of #ransomware. In #SBBlogwatch, we dry out.

securityboulevard.com/2025/10/japa...
Asahi Hack Update: Beer-Free Day #5 Dawns in Japanese Ransomware Crisis
金のうんこ! Breaking: Big beer brewer belatedly believes bitten by ransomware—and likely a data breach.
securityboulevard.com
4 4
adrianmouat.com
Adrian Mouat @adrianmouat.com · 6d
For those of you at GOTO Copenhagen, I'll be speaking at 14.15 in room 2 about what we can and should be learning from recent security incidents.

Supply Chain Security and the Real World: Lessons From Incidents
Conference talk with Adrian Mouat at GOTO Copenhagen 2025
f.mtr.cool
1 1
adrianmouat.com
Adrian Mouat @adrianmouat.com · 6d
For those of you at GOTO Copenhagen, I'll be speaking at 14.15 in room 2 about what we can and should be learning from recent security incidents.

Supply Chain Security and the Real World: Lessons From Incidents
Conference talk with Adrian Mouat at GOTO Copenhagen 2025
f.mtr.cool
adrianmouat.com
Adrian Mouat @adrianmouat.com · 8d
If you're at GOTO Copenhagen, I'll be on Sam Newman's Graham Norton style chat show alongside Kief Morris at 15.15 today. It's on the live stage, which is up the spiral stairs at the back (good luck).

For those of you not lucky enough to be there, I think it is recorded.
2
adrianmouat.com
Adrian Mouat @adrianmouat.com · 10d
I'm hosting a @chainguard.dev  Learning Lab tomorrow (6pm UK) on how to get started with Chainguard  Images.  The Lab focuses on using the free static image, which is perfect for compiled binaries produced by Go, Rust, C etc.

Learning Labs: Static Chainguard Images
During this hands-on lab, you'll learn how to create container images that have low-to-zero CVEs and are much smaller than standard images. This lab is focused on producing images for compiled languages that can produce static binaries, such as Go, Rust and C.‍We'll discuss:Why reducing the size and CVE count of images is importantHow to migrate a Dockerfile build using a compiled language to use Chainguard ContainersAdvanced techniques for producing truly minimal images and debugging‍
events.chainguard.dev
1
Reposted by Adrian Mouat
gergely.pragmaticengineer.com
Gergely Orosz @gergely.pragmaticengineer.com · 11d
How is this not bigger news in tech/security circles.

Jaguar Land Lover lost $250M (£200M) and counting thanks to a cyberattack that it still couldn’t mitigate. This is growing every week.

The cost of underinvesting in security is very real. 1+ month recovery is bonkers
60 250 910
adrianmouat.com
Adrian Mouat @adrianmouat.com · 13d
If you use Helm charts (maybe from a provider who recently changed their terms...) you might want to checkout @chainguard.dev's iamguarded Charts.

I did a video a little while back on getting started with the postgres chart
Using Chainguard's Helm Charts
Tutorial on using the Helm Charts now available from Chainguard.This tutorial demonstrates the following tools: - Helm (https://helm.sh) - Kind (for creating...
www.youtube.com
adrianmouat.com
Adrian Mouat @adrianmouat.com · 13d
Echo, if a 3 yo asks for a nursery rhyme, they don't want the instrumental version.
1