Using containers from public registries is no worse than using third party software. In both cases there’s a risk of malicious code. The big difference is that for containers you can scan the image before running it, SBOMs are becoming ubiquitous so dependency vulnerabilities are easier to detect, and runtime protection software is more effective on containers because each container has a deterministic expected behaviour, making it easier to find deviations. I’d much rather manage runtime controls for containers than craft selinux policies.
The bottom line (which the OP article misses) is that while individual container configurations require more effort to set up the additional work to manage them at scale is low, whereas compliance for host based installs is requiring more and more effort. In fact given how popular curl | sh ... is becoming for host based installs I’d argue that they are regressing in terms of safety and reproducibility.
Using containers from public registries is no worse than using third party software. In both cases there’s a risk of malicious code. The big difference is that for containers you can scan the image before running it, SBOMs are becoming ubiquitous so dependency vulnerabilities are easier to detect, and runtime protection software is more effective on containers because each container has a deterministic expected behaviour, making it easier to find deviations. I’d much rather manage runtime controls for containers than craft selinux policies.
The bottom line (which the OP article misses) is that while individual container configurations require more effort to set up the additional work to manage them at scale is low, whereas compliance for host based installs is requiring more and more effort. In fact given how popular
curl | sh ...is becoming for host based installs I’d argue that they are regressing in terms of safety and reproducibility.