Chainguard Images and Wolfi, our community distro, are now supported by a growing list of open source and enterprise vulnerability scanners. This means that if you’re using our container images, they are now recognized by Docker Scout, Grype, Snyk, Trivy and Wiz, and support for Palo Alto Network’s Prisma Cloud is coming soon. This growing ecosystem of scanner support will enable our customers and community users to continue leveraging the tools and workflows they use today for monitoring and prioritizing vulnerability scan results. We are very appreciative of these companies and projects for adding this functionality to their offerings, as are our customers. These scanners, along with software composition analysis (SCA) tools, play a critical role in software security today. It's the primary way that organizations surface and find common vulnerabilities and exposures (CVEs).
Chainguard is working hard every day to achieve zero-known CVE counts in our Images. Having broadened support from the scanner ecosystem is an important step in our product’s growth and effectiveness for enterprise and open source users who now will be able to verify scan results. With today’s news, we’ve established a security data connection for collaborating with widely used industry scanners so their customers can realize the savings in time and see the scanner noise reduction that Chainguard delivers.
Building with Chainguard Images or Wolfi and scanning with a supported scanner helps organizations build software right, from the start. The combination proactively helps to reduce an organization’s attack surface and minimize false positives, giving engineering and security teams peace of mind and time back to do what they do best–build.
Organizations that use one of our supported scanners as their enterprise scanning tool can now scan and identify vulnerabilities in Chainguard Images and Wolfi to validate that they are shipping the most secure builds possible.
Here’s a look at what leading scanner solutions have to say about Chainguard:
“It's refreshing to see a Linux distribution that is continually striving to make smaller, more secure images for everyone. There is typically a moment for me when using Grype to scan a Wolfi image where I think 'that's weird, I don't see any results,' then realize it's working perfectly.” - Alex Goodman, Tech Lead for Syft and Grype, Anchore
“Chainguard Images and Wolfi give you peace of mind that you’re starting from a secure container posture. When you add in Snyk’s container scanning, you can ensure that the Chainguard and Wolfi-based Images that started out vulnerability free, remain vulnerability free. Snyk Container allows you to continuously scan images across the SDLC, so you know when any newly discovered vulnerabilities impact your images or workloads. Additionally, Snyk’s custom base image recommendations (CBIR) provides users recommendations for upgrading their Chainguard and Wolfi-based Images to versions with fewer vulnerabilities, providing more secure applications.” – Hannah Foxwell, Director Product Management, Snyk
"We have been happy to collaborate with Chainguard on improving the security of container images, and software development at large. Our goal is to reduce the overhead of vulnerability management, and Aqua Trivy - our open source vulnerability scanner, is a demonstration for how to balance detection accuracy and information availability. Wolfi complements this approach thanks to its minimal design that lends to minimal attack surface to begin with. Together, Wolfi and Trivy is a fantastic pairing to help anyone start off with a solid security foundation to their cloud native stack, which is also open source! In addition, we are excited to keep collaborating on the next challenges of vulnerability management through the Vulnerability Exchange (VEX) specification, standardization and application. Having Chainguard and Wolfi investing in the development of the standard and adopting it on the vendor side, and Trivy exposing its benefits to our massive use base on the scanner side, paves the way for a better vulnerability management future for the entire industry." – Itay Shakury, VP of Open Source at Aqua Security
“Wiz enables organizations to securely build and operate their entire cloud environment, providing visibility and risk prioritization from development through deployment. We’re excited to add support for Wolfi and Chainguard Images to the Wiz platform, enabling our mutual customers to ‘shift left’ as they eliminate vulnerabilities, and to validate the positive impact it has on their production workloads.” – Ryan Kazanciyan, Chief Information Security Officer, Wiz
Reduce noise and fix what matters most
Vulnerability scanners can generate false positive results (flagging a vulnerability that doesn't exist) or false negatives (missing actual vulnerabilities). This scanner noise can lead to missed compliance milestones, customer frustration, wasted development time and resources as security teams investigate and remediate non-existent issues or overlook real vulnerabilities.
Chainguard helps to eliminate the burden of false positives and false negatives by conducting daily image rebuilds, which means scan results can actually work as intended by providing actionable alerts that require true remediation vs. worrying about what CVEs are worthy of concern or not. In some cases, we often fix vulnerabilities before they’re detected. Now, developers can spend their time focusing on software innovation or pressing business priorities without having to worry about noise from false positive or false negative results.
Improving the future of software security
We're committed to providing the best security data for scanners and to deliver a seamless experience for Chainguard users. We’re open to fresh ideas and feature requests from the scanner ecosystem about what is possible.
If you are a scanner or SCA tool looking to take a forward-looking approach to solving software supply chain security for your customers, reach out to our team at the form below to explore a tailored partnership that highlights your scanner’s unique capabilities or visit the Chainguard Images vulnerability scanner support page to learn how you can get started with an integration. If you are an existing Chainguard Images customer or user, visit Chainguard Academy to learn about best practices for understanding scanner results.