Introducing Wolfi: The first Linux (un)distro designed for securing the software supply chain

Dan Lorenc, CEO
September 22, 2022

The massive push for software supply-chain integrity and transparency has left organizations struggling to secure their pipelines and manage vulnerabilities. Existing tooling doesn’t support supply chain security natively and requires users to bolt on critical features like signatures, provenance, and software bills of material (SBOM). 

It’s this critical gap in tooling that inspired us to build Wolfi, the first community Linux (un)distribution built with default security measures for the software supply chain. Along with Wolfi, we’re also announcing updates to our existing Chainguard Images, including base images for stand-alone binaries, applications like nginx and development tooling like Go

We know you have a lot of questions, so let’s get into it: 

From Linux distributions to containers

Linux started in 1991 and has become critical to modern IT. Multiple Linux distributions have been created to package and distribute Linux for various use cases, from personal and embedded computing, to super computing and cloud. Linux runs on hardware, in VMs and now in containers.

Containers have become ubiquitous in how developers build and ship software today. Containers differ from previous solutions, by being immutable by nature (so no upgrades/downgrades are required) and using the kernel provided by the host.

Most of today’s workloads run on containers, and distros were designed for an earlier era. This and new supply chain security risks have led to the following issues with running containers:

  • Container images tend to lag behind upstream updates, resulting in users running images with known vulnerabilities
  • The common distributions used in container images also lag behind upstream versions, resulting in users installing packages manually or outside of package managers
  • Container images typically contain more software than they need to, resulting in an unnecessarily increased attack surface
  • Many container images have no provenance information, making it difficult to verify where they came from or if someone has tampered with them
  • They are typically not designed to meet compliance requirements or standards like SLSA

The only way to solve these problems is to build a distribution designed for container/cloud native environments. So, we built Wolfi. 

Building a new, container-specific distribution offers the chance to vastly simplify things by dropping support for traditional distribution features that are now irrelevant (like packaging Linux itself!), and other things like SBOMs become simpler when we can build them in from the start. We can also embrace the immutable nature of containers and avoid package updates altogether, instead preferring to rebuild from scratch with new versions.

With Wolfi, developers can start with a secure-by-default foundation that dramatically reduces time spent reviewing and mitigating security vulnerabilities and increases productivity. 

Built for software supply chain security

Wolfi was designed from the ground up to produce container images that meet the requirements of a modern secure supply chain and aim for zero-known vulnerabilities (if you don’t believe us take a look!). 

 The key features of Wolfi are:

  • Provides a high-quality, build-time SBOM as standard for all packages
  • Packages are designed to be granular and independent, to support minimal images
  • Uses the proven and reliable APK package format
  • Fully declarative and reproducible build system
  • Designed to support glibc and musl

For any marine biology enthusiasts out there, we chose the name Wolfi, because it is the name of the world’s smallest Octopus. We felt the moniker represented many of the key aspects of Wolfi, from minimalism to flexibility. 

Wolfi solves the software supply chain security problem from the outside in. Wolfi gives developers the secure by default base they need to build software, it scales to support organizations running massive environments and provides the control needed to fix most modern supply chain threats. Wolfi builds all packages directly from source, allowing us to fix vulnerabilities or apply customizations that improve the supply chain security posture of everything from the compilers to the language package managers.

Chainguard Images and security

Chainguard Images, now powered by Wolfi, are a suite of distroless images that provide support for both musl and glibc.

So what makes our images different? The primary point is that they are distroless, in the sense that they are minimal to the point of not even having a package manager (such as apt or apk). At Chainguard, we believe in minimizing dependencies as much as possible, which simplifies auditing, updating and transferring images, as well as reducing the potential attack surface.

Our Chainguard Images are rebuilt daily from upstream sources to keep everything fresh. All images are signed, allowing you to prove the image is indeed the image you expected and free from tampering. Images have an accompanying SBOM, which is generated at build time and allows you to quickly identify all the contained software and their versions, which can be invaluable when trying to determine exposure to newly discovered vulnerabilities, like Log4j. 

The signatures and SBOMs are stored in our new OCI registry alongside the images and can be queried with Sigstore's cosign tool. 

Bringing these critical features together – keeping everything up-to-date and minimizing the number of dependencies – means security scanners such as grype, Snyk and trivy report significantly less vulnerabilities for our images. This reduction in vulnerabilities dramatically reduces the burden on teams responsible for investigating and mitigating potential security issues. 

By leveraging Chainguard Images, you no longer have to worry about maintaining your own set of these images, and can rest assured that the images you use are free from known-vulnerabilities and updated securely. This lets your developers focus on building software that works and gives your security teams peace of mind that the code they are pushing into production is secure and compliant. 

Get started with Chainguard Images 

If you want to dive straight in, you can browse through Chainguard Images by signing into the console. Chainguard Academy features usage guidance and instructions for authenticating to access our Public Images. Signatures and SBOMs can be retrieved with the cosign tool. Here’s an example with our nginx Image:

-- CODE language-bash -- $ docker pull Using default tag: latest latest: Pulling from nginx 79db1e669208: Pull complete Digest: sha256:634ee2ce22a62ed1a22e11d11a09b6aa9134322d85f0467878fbaae0a28eba1e Status: Downloaded newer image for $ docker images REPOSITORY             TAG       IMAGE ID       CREATED        SIZE   latest    774c31efe147   11 hours ago   25.7MB‍ $ COSIGN_EXPERIMENTAL=1 cosign verify | jq Verification for -- The following checks were performed on each of these signatures:   - The cosign claims were validated   - Existence of the claims in the transparency log was verified offline   - Any certificates were verified against the Fulcio roots. [   {     "critical": {       "identity": {         "docker-reference": ""       },       "image": {         "docker-manifest-digest": "sha256:634ee2ce22a62ed1a22e11d11a09b6aa9134322d85f0467878fbaae0a28eba1e"       },       "type": "cosign container image signature"     }, …‍

If you’d like to take things to the next level and make your own bitwise reproducible images with SBOMs, take a look at apko and melange. A great place to get started is with our tutorial at Chainguard Academy

WTH is an Undistro?

If you made it this far and have been asking yourself what the heck we mean by undistro – you’re in luck. We refer to Wolfi as an undistro because it is not a full Linux distribution designed to run on bare-metal, but a stripped-down one designed for the cloud-native era. Most notably, we don’t include a Linux kernel, instead relying on the environment (such as the container runtime) to provide this. 

Update on our Chainguard Images Catalog: We currently offer our public Chainguard Images catalog for no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom subscription tiers. Contact our team to learn more. 

On August 16, 2023, we will be making changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Image catalog.

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.