The latest supply chain attack wave is not a single incident to respond to. It is a permanent shift in the threat landscape. In this blog by the Docker CISO Mark Lechner, we share the recommended best practice we use to protect ourselves.

Docker offers insights into container technology, microservices architecture, and application deployment, providing documentation and best practices for building, deploying, and managing containerized applications. By exploring Docker's curated content, developers can learn about container orchestration, Docker Swarm, and Docker Compose for managing complex containerized environments. Whether you're deploying microservices, building CI/CD pipelines, or optimizing your development workflow, Docker offers resources to streamline your containerization journey and unlock the benefits of container-based deployment.

Docker

A wave of escalating software supply chain attacks—including the axios npm compromise attributed to North Korea's Lazarus Group, the TeamPCP campaign, and GlassWorm—has prompted Docker's CISO to outline concrete defensive practices. The core problem is implicit trust: organizations trust container tags, GitHub Actions, and CI/CD secrets without verification. Recommended mitigations include using verified/hardened base images with SLSA attestations, pinning all dependencies to digests or commit SHAs, enforcing cooldown periods before adopting new dependency versions, generating SBOMs at build time, scoping CI/CD credentials narrowly with short lifetimes, deploying canary tokens on developer machines, auditing credential sprawl, and sandboxing AI coding agents in isolated microVMs. The post also covers governing MCP servers and building incident response playbooks. Docker frames these as practices they follow internally and provides links to their own tooling (Docker Hardened Images, Docker Scout, Docker Sandboxes).

Defending Your Software Supply Chain: What Every Engineering Team Should Do Now

The landscape has changed, your defaults should too