Why Don’t We Have Both? Track Build- and Run-time Information for S... Jeff Mendoza & Ben Hirschberg
Jeff Mendoza, Ben Hirschberg
KubeCon + CloudNativeCon Europe 2025 · Session
In the rapidly evolving landscape of software supply chain security, understanding the true risk posed by vulnerabilities remains a significant challenge. This talk, "Why Don’t We Have Both? Track Build- and Run-time Information for S...", delivered by Jeff Mendoza and Ben Hirschberg at KubeCon EU, addresses the critical gap between theoretical vulnerabilities identified at build time and actual threats present during runtime. The speakers introduce an innovative approach that combines the comprehensive data aggregation capabilities of **Guac** (Graph for Understanding Artifact Composition) with the deep runtime insights provided by **Kubescape**, a Kubernetes security platform leveraging **eBPF**.
AI review
This talk presents a genuinely valuable solution to the pervasive problem of vulnerability fatigue in cloud-native environments. By skillfully integrating Kubescape's eBPF-driven runtime reachability analysis with Guac's graph database for supply chain metadata, Mendoza and Hirschberg demonstrate how to drastically reduce the noise from static vulnerability scanners. The ability to filter SBOMs based on actual runtime package usage provides actionable intelligence, enabling security teams to prioritize real threats and move beyond mere compliance to effective risk reduction. This is…