Revolutionizing container security and CVE management
Ensuring security within container environments has become a pivotal challenge. However, there are ways in which we can confidently approach this challenge. Enter Wolfi — a “secure-by-default” undistro, specifically designed to address vulnerabilities in container ecosystems.
The essence of Wolfi
Wolfi stands out as a solution tailored for securing containers against Common Vulnerabilities and Exposures (CVEs). Its architecture is designed to mitigate risks inherent in the software supply chain, providing peace of mind to developers and IT professionals.
In today’s software development landscape, a staggering 70–90% of any production stack consists of open-source software. Open-source technology offers immense value, particularly in its flexibility and community-driven innovation. Wolfi builds on these strengths, further enhancing security to mitigate the traditional vulnerabilities often associated with open-source solutions.
Wolfi in action: A paradigm shift
Wolfi introduces a new approach to building secure containers, moving away from using distroless methods and declarative YAML files to create minimal and more secure images. Wolfi uses tools like apko and melange to create OCI-compliant container images, ensuring fully reproducible builds. This method significantly reduces the risk of software supply chain attacks, helps with debugging, and cleanly separates packaging applications from building and configuring runtime images.
Apko and melange shift the focus from procedural Dockerfile instructions to a declarative, reproducible approach. This shift not only streamlines the container-building process but also enhances security by reducing potential attack surfaces.
Future-proof your container security with Chainguard Images
With the increasing reliance on containers in software development, Wolfi represents a significant step forward in securing these environments and is what powers our Chainguard Images solution. It offers a more reliable, efficient, and secure alternative to traditional container-building methods.
Chainguard Images are built with Wolfi to produce container images that meet the requirements of a secure software supply chain. Customers and users of Chainguard Images benefit from a secure software baseline, images with low-to-zero known CVE counts, and a reduced attack surface from using a minimal set of packages that result in a smaller image size, which helps protect against common “living off the land attacks.”
For those eager to delve deeper into Wolfi’s capabilities and its impact on software supply chain security, watch my talk from Lonestar Application Security Conference (LASCON) titled Wolfi: A Secure-by-Default Distro for Curing Container CVE Chaos. My talk not only expands on the topics covered here, but also provides practical applications and a comprehensive understanding of Wolfi’s role in revolutionizing container security. Get started with Wolfi on GitHub today and watch the full video below.
If you are interested in learning more about how Chainguard Images can strengthen your container security or vulnerability management approach, reach out to our team.
Share this article
Related articles
- Product
Introducing New Updates to the Chainguard Images Directory
We've improved the Chainguard Images Directory with Helm charts for faster deployments, an ROI calculator, and more refreshed data to improve your experience.
Ron Norman, Director of UX and Design, and Julian Vermette, Principal Software Engineer
- Product
Introducing the Self-Serve Catalog Experience
Chainguard launches the Self-Serve Experience for Catalog customers: instantly add, rename, or remove container images from our catalog, no tickets required.
Tony Camp, Staff Product Manager
- Product
Custom Assembly Updates: Create Multiple, Customized Variants of a Chainguard Container
Customize Chainguard Containers with the latest Custom Assembly update. You can create, edit, and manage secure, zero-CVE image variants directly in the console.
Tony Camp, Staff Product Manager
- Product
Class in Session: Chainguard Contributes to the Higher Education Community
Catch up on what Chainguard is doing with higher education institutions to advance open source security and build the next generation of innovation.
Ewan Simpson, Higher Education Advocate, and SJ Cushing, Field Marketing Manager, Higher Education
- Product
Secure and Free MinIO Chainguard Containers
MinIO pulled its free images—but Chainguard has you covered. Get zero-CVE, continuously built MinIO and MinIO Client containers, free and secure from Chainguard.
Manfred Moser, Senior Principal Developer Relations Engineer, Dimitri John Ledkov, Senior Principal Software Engineer, Lisa Tagliaferri, Senior Director, Developer Enablement, and Aaditya Jain, Senior Product Marketing Manager
- Product
Chainguard Libraries for Python: Now Generally Available with CVE Remediation and Malware Protection
Chainguard Libraries for Python, trusted open source language libraries designed for CVE remediation and malware protection, is now generally available.
Bria Giordano, Director, Product Marketing, and Anushka Iyer, Product Marketing Manager