Important updates for Chainguard Images public catalog users

Kim Lewandowski, Chief Product Officer
August 16, 2023

In May 2023, we announced a 90-day notice for changes coming to our Chainguard Images public catalog. If you are currently using Images in the public catalog, please review these important changes that will begin rolling out today, August 16. 

What’s changing starting today?

Starting today, August 16, 2023 all tags for images in the public catalog will become unavailable except for :latest and :latest-dev tags. Users will also still be able to use image digests.

Projects that currently depend on tags other than :latest or :latest-dev and that are public catalog users will see a broken build process without taking additional steps starting today. If users are not yet logged into the Chainguard Registry and use a tag other than :latest or :latest-dev, users will receive a 401 message. Public catalog users that are logged in to the registry will receive a 403 error message.

Starting today, all users of the Chainguard Images public catalog will be unable to pull images with tags other than :latest or :latest-dev without paying for access to the Standard or Custom catalog. This means that public catalog users, including open source projects, will either need to pin to the digest they currently use prior to this policy change, migrate to the software version associated with :latest, or build upon wolfi-base/ to build their desired image.

We’ve released helpful how-to guides, video tutorials and best practices for public catalog users of Chainguard Images navigating these changes: 

Reminders about authentication

In our previous announcement about these changes, we also provided updates encouraging users to pull Public Chainguard Images by authenticating to the Chainguard Registry. Users can continue to pull :latest images anonymously, but will need to authenticate in order for us to provide notifications of version updates, breaking changes, or critical security updates. 

To set up an account for authenticated access to Chainguard Images, follow these steps:

  • Register online for a free Chainguard account
  • Install our chainctl CLI
  • Run chainctl auth configure-docker to configure a credential helper that will automatically provide authentication credentials when pulling Chainguard Images from our registry,

We also provide a number of options for authenticating, including integrated support for GitHub Actions and several other CI systems, pulling from Kubernetes, and even setting up federation using your organization's OIDC provider. See here for more information.

Logging in to access Chainguard Images in the public catalog is optional, but it will be the primary mechanism we will use to notify users of upcoming changes moving forward. Logging in will also give users access to browse our Images in the Chainguard platform. 

  • Images tagged :latest and :latest-dev will be available without login required, and will automatically receive all version updates, including major and minor versions.

  • Images pulled by digest (that is, @sha256:...) will be available without logging in, but will not receive any updates or security fixes.

  • SBOMs, signatures and attestations for all Images will be available without logging in.

Why are you making these changes now? 

Chainguard is fully committed to its mission to make the software supply chain secure by default for all users. That being said, we have to balance the cost of building and maintaining images with providing a usable and secure solution for users on the public catalog. We think that this change ensures that the product is both able to scale and offer a catalog tier that remains available to open source users. We wanted to make this change sooner rather than later to ensure that the number of public catalog users who depend on tags other than :latest or :latest-dev for Chainguard Images does not grow, which would create even more disruption for Chainguard Images users if we waited to make this change later on in the product’s maturity. In short, we believe that this change now helps Chainguard make the software supply chain secure by default long into the future.

What’s next? 

Since we introduced Chainguard Images just over a year ago, we’ve seen developer and security teams benefit from their hardened security posture, reduced attack surface and daily version updates that help save time spent patching CVEs to focus on business priorities and innovation. In fact, recent research from Chainguard Labs found that popular container images, when not updated, accumulate one known vulnerability per day. Ultimately, not updating your base images can mean more vulnerabilities in the long run, introducing significant security costs

If you're interested in our paid Chainguard Images catalogs, reach out to our team for more information. Our Images inventory is always expanding and if you need something you don’t see listed in our catalog, we can build custom bundles or single-custom images. 

If you find that today’s changes impact how you are using the Chainguard Images public catalog, please reach out to our team and we will work with you to ensure a smooth transition. If you are an open source project and are interested in using Chainguard Images, we would love to discuss how we can support you and your project needs. You can also sign up for our weekly Chainguard Images office hours with our team during AMER and EMEA hours to ask questions, see demos, learn best practices and more. 

Our goal is to continue to build upon our secure baseline foundation with Chainguard Images and offer even more value to our users as they look for developer-first tools that secure the software supply chain by default. Stay tuned for more news soon for enterprises and open source projects that want to benefit from the Chainguard Images ecosystem, including upcoming announcements for our Registry and Wolfi.

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.