AppSec & DevSecOps

A1: Adding Continuous Inspection to Your CI/CD Pipelines with Build Inspector Open Source

Thursday, June 8, 2023 9:15 AM - 10:15 AM

Room 401/402


Automatically extract important security related information from all of your CI/CD pipeline logs, that typically only get used to debug pipeline issues, with VMware's open-source Build Inspector tooling. By looking at the actions being taken in the logs, and the output from each step in your pipeline, the open source Build Inspector software is able to rapidly identify potential sources of supply chain compromise, along with providing valuable Software Bill of Material information about dependencies that are only used at build/test time, but that could become vectors for an attack. In this session we will walk through why it's important to monitor your CI build pipelines, how to get started extracting dependency and risk information from your CI build logs, and how this process can be scaled to meet the needs of an entire enterprise. Using this information: - Developers are able to avoid actions that might introduce risks to the supply chain - Vulnerability Management teams are able to more easily identify products that utilize old or vulnerable dependencies - Compliance teams are able to more easily document the dependencies used in software supply chains

Learner Objectives

After this session, the learner will understand: - Why CI/CD pipeline monitoring matters - How to use the open source Build Inspector service to extract valuable data from CI build logs - What decisions are being driven by this data at VMware today