In this hands-on session, we extend the curated-image baseline by profiling a first-party Spring Boot app in GKE using RapidFort’s runtime instrumentation (eBPF), generating a Runtime Bill of Materials (RBOM™), and hardening the image. You’ll see how to run tests against a stubbed container, create RBOM-driven hardening jobs, apply presets (aggressive/standard/light), and optionally keep specific packages with a custom profile—all while maintaining app behavior.
RapidFort Workshop Series - Part 2
Advanced Hardening Tools & Features of RapidFort Platform
Access the Full On-Demand Workshop
Key Highlights from the Workshop
From Curated Baseline to Profiled App
Recaps last week’s swap to curated OpenJDK: Spring Boot dropped from 801MB / 83 CVEs to 528MB / 1 CVE, setting the stage for runtime profiling in GKE.
eBPF Profiling → RBOM™
Deploys RapidFort runtime, stubs the pod, and captures real file/library usage during integration tests to produce an RBOM™ that separates used vs. unused components.
One-Click Harden (Presets + Overrides)
Runs rf harden on the profiling job. Uses presets—aggressive (remove unused), standard (remove any CVE-bearing pkgs), light (remove high/critical only)—and supports a custom rf_profile to retain select packages (e.g., ca-certificates).
Measured Outcomes & Options
Hardened image goes 528MB → 243MB; packages 170 → 63; single medium CVE remains (no upstream fix). Side-by-side SBOM compares removed utilities (bash, apt, etc.). Option shown to reach 0 CVEs by swapping to a curated Alpine base.
Start Secure, Stay Secure with RapidFort
Remediate 95% of CVEs Automatically
without Code Changes, OS Changes, or Pipeline Modifications