Docker, IncRemote
Staff Supply Chain Security Engineer, Docker Hardened Images
United States of America
Full Time
1 week ago
$166,000 - $270,000 USD
H1B Sponsored
Key skills
GoKubernetesDockerHelmMongoDBGrafanaGitHubIstio
About this role
Docker, Inc is a leading company in developer tooling, trusted by millions of users for its products. They are seeking a Staff Supply Chain Security Engineer to shape the technical direction of their Docker Hardened Images catalogue, focusing on security-hardened, enterprise-grade container images and Helm charts.
Responsibilities:
- Setting catalogue-wide technical direction - defining the conventions, patterns, and architectural decisions that govern how images and Helm charts are authored across DHI, and evolving them as the catalogue grows
- Owning the hardest packaging problems - images and charts with complex upstream dynamics (rapid release cadence, monorepo quirks, painful major-version breaks, intricate dependency chains, niche multi-arch issues) where the right answer isn't obvious
- Authoring and maintaining image definition files that track upstream OSS releases, define build steps, and keep the catalogue current - and shaping the templates and tooling others use to do the same
- Adapting upstream Helm charts (cert-manager, grafana, mongodb, kyverno, istio, and many more) to work with DHI images - handling security constraints, non-root contexts, and Kubernetes compatibility concerns, and codifying the patterns that make this repeatable
- Driving security hardening strategy - leading CVE triage approaches, hardening decisions, and supply chain posture (Sigstore, SBOM, SLSA) across the catalogue, not just individual images
- Designing and writing Go-based integration test infrastructure that validates images and charts behave correctly in real Kubernetes environments, and improving the harness others build on
- Raising the bar through review and mentorship - reviewing peers' definition and chart PRs, catching subtle issues before they reach customers, and helping other engineers grow into harder problems
- Partnering across teams with product, security, and customer-facing functions to translate customer needs and regulatory pressures into catalogue priorities and technical decisions
- Engaging upstream - representing DHI in upstream OSS communities (chart maintainers, project maintainers) on issues that affect security-hardened deployments
- Take part in the paid on-call rotation for the team; respond to incidents, debug production issues, and drive continuous improvement of system reliability
Requirements:
- 8+ years of backend engineering experience with production-grade systems
- Bachelor's degree in Computer Science, Engineering, or a related field, or equivalent practical experience
- Deep expertise in the container and Kubernetes ecosystem - you have strong opinions about cert-manager, kyverno, grafana, istio, and similar projects, you've debugged them in production-shaped environments, and you can navigate upstream Helm chart source and project internals fluently
- Mastery of YAML as a working medium - you've designed conventions and structures that other engineers work within, not just authored within someone else's conventions
- Strong container security background - non-root users, UID/GID, image layers, multi-arch builds, and supply chain concepts (provenance, attestation, SBOM, signing) are second nature, and you can reason about tradeoffs at the catalogue level
- Go ability sufficient to design test infrastructure - you can write and review integration test code and shape the harness, even if you're not building distributed systems
- A maintainer mindset, applied at scale - you take pride in consistency, catch drift from patterns, and think about how a change to one image or chart ripples across dozens of others and out to customers
- Strong technical judgment in ambiguous situations - comfort making and defending decisions where there's no perfect answer (e.g., how aggressively to deviate from upstream, when to absorb a breaking change vs. pin)
- Track record of technical influence without authority - you've raised the quality bar on a team through review, design docs, mentorship, and well-chosen conventions
- Deep familiarity with GitHub-heavy open source workflows - PRs, upstream tracking, monorepo conventions, and the social side of engaging with upstream maintainers
- Experience as a package maintainer (any Linux distribution, Homebrew, etc.)
- Helm chart authorship or contribution experience
- Hands-on experience with supply chain tooling (Sigstore, SBOM, SLSA) - ideally having implemented or operationalized them
- Experience in a regulated or security-conscious environment (FedRAMP, FIPS, PCI, regulated industries)
- Prior Staff-level IC experience on a platform, security, or developer-tools team