Revolutionizing container security and CVE management

Jamon Camisso, Staff Developer Experience Engineer
February 8, 2024

Ensuring security within container environments has become a pivotal challenge. However, there are ways in which we can confidently approach this challenge. Enter Wolfi — a “secure-by-default” undistro, specifically designed to address vulnerabilities in container ecosystems.

The essence of Wolfi

Wolfi stands out as a solution tailored for securing containers against Common Vulnerabilities and Exposures (CVEs). Its architecture is designed to mitigate risks inherent in the software supply chain, providing peace of mind to developers and IT professionals.

In today’s software development landscape, a staggering 70–90% of any production stack consists of open-source software. Open-source technology offers immense value, particularly in its flexibility and community-driven innovation. Wolfi builds on these strengths, further enhancing security to mitigate the traditional vulnerabilities often associated with open-source solutions.

Wolfi in action: A paradigm shift

Wolfi introduces a new approach to building secure containers, moving away from using distroless methods and declarative YAML files to create minimal and more secure images. Wolfi uses tools like apko and melange to create OCI-compliant container images, ensuring fully reproducible builds. This method significantly reduces the risk of software supply chain attacks, helps with debugging, and cleanly separates packaging applications from building and configuring runtime images.

Apko and melange shift the focus from procedural Dockerfile instructions to a declarative, reproducible approach. This shift not only streamlines the container-building process but also enhances security by reducing potential attack surfaces.

Future-proof your container security with Chainguard Images

With the increasing reliance on containers in software development, Wolfi represents a significant step forward in securing these environments and is what powers our Chainguard Images solution. It offers a more reliable, efficient, and secure alternative to traditional container-building methods. 

Chainguard Images are built with Wolfi to produce container images that meet the requirements of a secure software supply chain. Customers and users of Chainguard Images benefit from a secure software baseline, images with low-to-zero known CVE counts, and a reduced attack surface from using a minimal set of packages that result in a smaller image size, which helps protect against common “living off the land attacks.”

For those eager to delve deeper into Wolfi’s capabilities and its impact on software supply chain security, watch my talk from Lonestar Application Security Conference (LASCON) titled Wolfi: A Secure-by-Default Distro for Curing Container CVE Chaos. My talk not only expands on the topics covered here, but also provides practical applications and a comprehensive understanding of Wolfi’s role in revolutionizing container security. Get started with Wolfi on GitHub today and watch the full video below.

If you are interested in learning more about how Chainguard Images can strengthen your container security or vulnerability management approach, reach out to our team.

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.