2025-08-28 –, Studio 1
Software‑supply‑chain attacks increasingly exploit the dependency graphs hidden inside container base images. General‑purpose binary distributions can drag in hundreds of packages, making it difficult to generate accurate SBOMs and keep up with CVE patching. In this session you will learn how to use the Yocto Project to build lean, auditable container base images and matching package repositories that can serve as drop‑in replacements inside existing Docker or Podman build pipelines.
We will replace an Alpine base image in a micro‑service with an OCI‑compliant image generated by Yocto. Along the way you will learn that we can:
- compile every dependency from source under fully reproducible builds;
- strip unused libraries, toolchains and the package manager to shrink the attack surface;
- automatically generate file level SPDX SBOMs;
-feed vulnerability scanners with deterministic package metadata.
A comparison quantifies the impact on image size, package count, and open‑CVE exposure.
I am Senior Specialist in Linux Build Packaging and Integration working at Ericsson Software Technology providing expertise in Yocto for the Ericsson Yocto users.