The desire for software supply chain integrity and transparency has left many organizations struggling to build in software security measures like signatures, provenance, and SBOMs to legacy systems and existing Linux distributions.
This has prompted Chainguard to produce Wolfi, a new Linux ‘(un)distribution’ and build toolchain, that’s been designed from the ground up to produce container images that meet the requirements of a secure software supply chain.
It’s called an (un)distribution because it isn’t a full Linux distro designed to run on bare-metal, but a stripped-down one designed for the cloud-native era.
“Attacks are happening at every point along the software supply chain, from the way code gets built, to its deployment, to how it’s run and then packaged and shipped to end users,” says Dan Lorenc, CEO and co-Founder of Chainguard. “Because software supply chain security covers the entire development lifecycle, it isn’t like other areas in security where point solutions can solve this complex problem. Chainguard’s secure developer platform is a direct reflection of our mission to make the software supply chain secure by default by helping developers improve software security from build to production.”
Wolfi enables the use of purpose-built Chainguard Images, these are designed with minimal components to help reduce an enterprise’s attack surface and generate SBOMs at the time of development, leaving no errors in the creation process. These images are distroless, in the sense that they are minimal to the point of not even having a package manager (such as apt or apk). This minimizes dependencies as much as possible, which simplifies auditing, updating and transferring images, as well as reducing the potential attack surface.
At the same time the company is launching a Chainguard Academy to deliver critical educational resources at no cost to enable developers, engineers and CISOs to get hands-on with software supply chain security tooling and recommended practices. Developers using Chainguard Academy will be able to work with Sigstore and distroless container images directly from their browsers through an interactive sandbox terminal.
“The software supply chain will become more secure if we all do our part to make incremental progress towards security improvements,” says Lisa Tagliaferri, head of developer education at Chainguard. “Our hope with Chainguard Academy is to provide the developer community with the resources needed to meet these longer-term and sustainable goals.”
You can find out more on the Chainguard blog.