Being a recent victim, let's take Nvidia as an example. Would you trust Nvidia's repos on GitHub or Container images? If no, how would you go about checking for any malware/backdoor? Any pointers would be appreciated. Thanks!
There must be a qualification process for anything that will be put in contact with a production environment and/or sensitive data. What a container validation process looks like depends on the type of organization and it's risk appetite.
It depends. Usually the Dockerfiles are on GitHub anyway and you can take a peek, but a lot of them probably just install binaries or packages hosted elsewhere by the company.<p>That’s a bit harder to audit.