Karl Haworth, is a Principal Staff Engineer on American Airlines Developer Experience products. His team is leveraging Chainguard Images to harden their software and strengthen the security of their software supply chain. Karl recently created an alternative, secure image for the Backstage open-source framework using Chainguard’s wolfi-base image. In this guest post, Karl explores the decision to use wolfi-base and the benefits he has seen in reducing vulnerabilities and shrinking the overall Backstage attack surface.
American Airlines is committed to enhancing the developer experience by implementing a frictionless self-service platform to create delightful developer experiences. By doing so, the developers can deliver value sooner to our customers. In order to achieve the stated goal, we adopted Spotify’s Backstage open-source framework for accelerating the development of our internal developer portal Runway. This marks my third endeavor at establishing a developer portal which has been successful due to a heavy focus on InnerSource practices. Backstage has proven instrumental in streamlining the development process, thanks to its community-driven foundation as a solid base to build upon.
Integrating Wolfi into Backstage
Achieving the desired objectives involved decreasing the number of vulnerabilities from 404 to just a few. 🤯 The successful reduction of the attack surface further solidified our goals, and we also increased speed in addressing packages due to Wolfi's efficient update and patching system.
Additionally, Backstage has placed significant emphasis on being secure by default, but I noticed a crucial aspect was lacking. Integrating a hardened image contributes effectively to the entire ecosystem and aligns with the project's current objectives. It is imperative that no organization compromises security while leveraging open source, and this pull request is instrumental in reinforcing a secure by default approach.
Benefits of using Wolfi base with Backstage
Working at American Airlines, I am grateful for the opportunity to give back to the open-source community through the appropriate channels. Recently, I was able to submit a Pull Request to Backstage, receive and incorporate feedback, and successfully had my changes integrated.
Following the integration, I had the privilege of sharing my success story with the Backstage community. The Backstage maintainers grasped the issue at hand, appreciated the contribution, and discussed potential plans to consider alternative options based on community input.
![Image of side-by-side comparison of node:18-bookworm-slim and cgr.dev/chainguard/wolfi-base:latest.](https://cdn.prod.website-files.com/6228fdbc6c971401d02a9c42/66439cf87f73eb60ff5e0b54_Screenshot%202024-05-14%20at%201.11.15%E2%80%AFPM.png)
In retrospect, when reflecting on the modifications made, I aimed to maintain the flow and commands as closely as possible to prevent any maintenance complexities. The outcome closely resembled the original setup with a few tweaks to include additional or modified packages, as well as adjustments to users and permissions.
To get started with swapping your default base to Wolfi, the Backstage Deployment Documentation talks about the contributed Wolfi alternative along with the Dockerfile contents on GitHub.
By transitioning to a Wolfi base, we were able to save numerous hours spent triaging vulnerabilities, decrease the total number of vulnerabilities to a manageable level, establish supply chain verification, shrink our attack surface, and accelerate the process of regularly applying patches and upgrades.
I am eager to engage in further discussions regarding establishing a fortified base as the standard option in Backstage with additional input from the community.