At Chainguard, we focus a lot on the value our Images product brings to our customers via our low-to-no Common Vulnerabilities and Exposures (CVEs) commitment, but the reality is that the value of Chainguard Images to our customers’ supply chain security extends far deeper than just low CVE counts. As one person put it at our recent quarterly business review: Come for the low CVEs, stay for the supply chain security. That is exactly right.
Virtually every compliance framework I have seen has a section on “Vulnerability Management.” It appears in SOC2, FedRAMP, PCI DSS, ISO27001, and more. The strength of the requirements are the main piece that varies, and it ranges from “track them, and have a plan” to “eliminate them above a certain severity, within a specific timeframe.”
For example, PCI compliance historically requires users to fix any Critical or High CVEs uncovered by network scans and rescan. However, even just tracking CVEs (the bare minimum) via the infamous “CVE spreadsheet” is an enormous source of toil for developers. That toil translates directly to costs, as developers are often one of the most expensive assets a business has.
At Chainguard, we are at the forefront of solving the CVE problem with our Wolfi un-distro, which is able to pick up CVE patches, apply them to packages, and get them to customers extremely quickly. This is so fundamental to the value our customers get that we offer SLAs around remediation in our enterprise product.
We lead with this messaging (the tip of our messaging “iceberg”) because complying with these sections on “vulnerability management” is such a universal source of pain (and cost) for our customers today. However, in addition to solving our customers “today problems,” we are also anticipating their “tomorrow problems” with respect to supply chain security.
A growing best practice, which is also starting to appear in the compliance frameworks, is to utilize minimal images (see also). For example, the September 2022 update from the PCI council with guidance for containers states:
Threat: Container base images downloaded from untrusted sources, or which contain unnecessary packages, increase the risk of supply chain attacks.
Best Practice: Application container images should be built from trusted, up-to-date minimal base images.
At Chainguard, we are pioneers at the forefront of minimal images. Dan Lorenc and I created the original “distroless” project as a prototype to prove the concept in our time at Google. With Ariadne Conill and team, we have taken this to new levels at Chainguard, with the only purpose-built tooling to do this sustainably at scale.
A key benefit of minimal images, which we reported on previously, is that the smaller surface can lead to a substantial reduction in the rate at which images accumulate CVEs (this ties into pain of the previous section). We also see minimal images as a key mitigation for the growing evasion technique known as “living off the land,” which attackers are using to avoid intrusion detection software. Another benefit of minimal images is that they are small (comparing a crude sampling with official images, the average is 79% smaller).
Chainguard’s Images are minimal by default, but many contain what we call a “dev variant” to enable a smoother migration path to distroless nirvana.
Another growing best practice is to require images to be signed by authorized build pipelines. This is also starting to appear in the compliance frameworks. For example, the September 2022 update from the PCI council with guidance for containers states:
Threat: Known good images can be maliciously or inadvertently substituted or modified and deployed to container runtime environments.
Best Practice: Registries should be configured to integrate with the image build processes such that only signed images from authorized build pipelines are available for deployment to container runtime environments.
Software Bill of Materials (aka SBOMs)
In 2021, the White House dropped a BOMshell (sorry, I couldn’t resist) with Executive Order 14028; which called for:
(vii) providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website
Many folks describe SBOMs as a “list of ingredients” for the image, describing each of the pieces that went in (e.g. package and version, source and commit, etc).
All Chainguard Images contain SBOM attestations, which are signed by our release automation, so that processes consuming the SBOMs can validate the authenticity of our SBOM’s provenance. As the compliance landscape continues to evolve and come into focus, we continue to iterate on the shape of our SBOMs to ensure that they are compliant with SBOM regulations as soon as they land (such as the NTIA “minimum elements”).
SLSA (Supply-chain Levels for Software Artifacts)
In 2021, Google released SLSA as an open specification to help users secure parts of their supply chain. It is based around the ideas in “Binary Authorization for Borg” developed and implemented by Google for a number of years as a way of securing its internal production environment known as Borg, which itself inspired and informed the creation of the open source project Kubernetes.
At Chainguard, we are big advocates of SLSA. Kim Lewandowski helped create and launch SLSA. Several of us participated in the early working groups, and had a deep background in its predecessor from our time at Google. Chainguard has also performed a number of SLSA audits for our customers and organizations like the CNCF.
One of the key elements of SLSA is the provenance attestation, which has some overlap with SBOM. But generally, if an SBOM is the “list of ingredients,” you can think of the provenance attestation as the recipe (how those ingredients combined to produce the image).
All Chainguard Images carry SLSA attestations, which are signed by our release automation, so that processes consuming the attestations can validate the authenticity of our SLSA provenance. We have tracked SLSA from v0.1 through to v1.0.
Reproducibility has not yet found its way into the requirements of any compliance frameworks, but it was briefly one of the aspirational elements of SLSA level 4 (which was left out of v1.0). It is also increasingly a focus of the supply-chain inclined.
All Chainguard Image builds are reproducible, which we verify before ever tagging a new image and distributing it to our users.
Threat: The default position of Linux containers, which is to run as root, could increase the risk of a container breakout.
Best Practice: Container images should be built to run as a standard (non-root) user.
However, many of the things we are doing go above and beyond the current compliance standards.
At the filesystem level, we have embraced the Filesystem Hierarchy Standard (FHS).
If you have ideas for ways that we can continue to raise this bar, please reach out! We are always looking for more ways to improve.
Future: Vulnerability Exploitability eXchange (VEX)
VEX is the lesser known sibling of SBOM, and is another format being pushed by CISA. It is intended to be a way of asserting that a particular vulnerability does not apply to a particular software artifact (aka “a false positive”). It is still early days for VEX, and so it has not yet appeared in any compliance standards.
At Chainguard, we see the OpenVEX specification as a way of eliminating false positives from scanners with fuzzy matching logic on container images, including, of course, Chainguard Images!
Come for the low CVEs, stay for the supply chain security
At Chainguard, we are on a mission to be the safe source for open source. To become that we are building a holistic solution to software supply chain security with, or as the CNCF TAG Security calls it: a secure software factory (contributions by: Dan Lorenc, Jason Hall, Priya Wadhwa, Dan "POP" Papandrea, and Matthew Moore).
We are always working to ensure that our Images meet today’s compliance standards, but we are also anticipating (and sometimes helping shape) future compliance standards. However, our efforts also go well beyond the bare minimum for compliance, and we are constantly searching for ways to raise the bar across our catalog to adhere to (or even create) new best practices for software supply chain security.
Nobody competes with our low-to-no CVE commitment today, and as you can see even that is just the “tip of the iceberg” of Chainguard Images’ value. Reach out if Chainguard can help you achieve your compliance and software supply chain security goals.