Today is a very special day for Chainguard, as we release to the public a few projects that will lay the foundation for important improvements in the cloud-native and container ecosystems. The following announcement (video) provides an overview of these projects and how they fit together to enable safer build and runtime environments, with a focus on securing the software supply chain:
During the past few months, I have been working closely with the team that built Wolfi and Chainguard Images, testing and documenting these projects as they evolved into the version that is being released today. Some of this work is already available at Chainguard Academy, our educational hub for software supply chain resources. More to come, for sure!
In this post I'll talk a bit about these projects, how they came to be, and what they represent in the context of container images for the cloud native era.
How Wolfi was Born
A long time ago, in a galaxy far far away, some folks realized that the most popular base container images were bloated with stuff that could make sense in bare metal servers, but were totally superfluous in containerized environments. The first distroless images were developed at Google, and Chainguard's founders Matt Moore and Dan Lorenc were directly involved with the initiative.
Fast-forward to May 2022, when the Chainguard Images project was still in its first iterations. It didn't take long for the team to realize that the Linux distributions commonly used as bases for container images were not really designed for what we wanted to build. Some of the main challenges included the lag behind upstream updates, lack of provenance information, and an unnecessary increased attack surface caused by software that didn't need to be there.
The only way to solve these problems was to build a distribution designed for container/cloud native environments. So, we built Wolfi. You can read more about the design principles and decisions behind Wolfi in this blog post. The Wolfi documentation at Chainguard Academy has more context on why we call it an undistro and how it is different from other Linux distributions. In a nutshell, Wolfi is a tiny distribution that doesn't have a kernel of its own, it's designed to support both glibc
and musl
, and includes high-quality SBOMs (software bill of materials) covering all packages in the distro.
A Brief Look at the New Chainguard Images
Powered by Wolfi, Chainguard Images are a suite of distroless images that consolidate the base features of the Wolfi undistro into end-user container images that can be integrated into existing workflows. Chainguard Images are fully declarative and reproducible, and include SBOMs that cover all image dependencies. In addition, Chainguard Images are signed via Sigstore, which attests the provenance of all artifacts. All images and corresponding signatures, as well as their SBOMs, are hosted in Chainguard's OCI registry cgr.dev
.
The easiest way to see the advantages of using a Chainguard Image instead of their traditional (or even official) counterpart is by comparing the results of security scanners analyzing those images. Here's an overview of Nginx, as an example:
On the left, you have an overview of CVEs detected by Trivy on the nginx:latest
container image, from August to September. This includes low, medium, high, and critical CVEs (classified by color). On the right side, you can see the results from a Trivy run on our distroless Nginx image: zero CVEs.
But don't take my word for it; install Trivy and run the scan on your own terminal, you will be surprised with the results.
To learn more about how to get started using Chainguard Images, please visit the official documentation at Chainguard Academy.
Chainguard Academy: the one-stop resource for software supply chain security
Last but not least, Chainguard Academy comes as a one-stop educational resource to close gaps in knowledge and elevate our collective understanding about software supply chain security, approaching conceptual subjects and industry frameworks as well as technical guides and tutorials on how to get things done in practice.
It's worth noting that our knowledge base is open source and we are committed to keep iterating on it in order to provide the best documentation around the software supply chain, and the wider community is invited to propose improvements and new topics. We are still working on contributing guidelines, but they should be available soon (and in time for Hacktoberfest, dare I say!). Yay! You can find us on GitHub.
Finally, if you have any questions, feel free to join us today in a Twitter Spaces where we'll discuss all things software supply chain!
Top comments (3)
❤️❤️❤️
How do these compare to Google's distroless images?
It's a very similar approach.
Effectively Google distroless images are a stripped down version of Debian, but Chainguard images use the Wolfi distro. Both are glibc based and have very small image sizes. The main difference is the our images are much easier to extend, building a new image with apko is trivial compared to trying to wrangle the Bazel config to produce a modified Google distroless container.