Chainguard has announced the technical preview of Wolfi, a new Linux distribution designed for container environments and built to ensure a secure software supply chain. Wolfi is designed to be a minimal distribution that provides a build-time SBOM for all included packages.
Wolfi provides a number of key features that minimize its surface area and focus on container and cloud-native environments. Dan Lorenc, CEO of Chainguard, shares this is why they refer to it as an undistro:
We refer to Wolfi as an undistro because it is not a full Linux distribution designed to run on bare-metal, but a stripped-down one designed for the cloud-native era. Most notably, we don’t include a Linux kernel, instead relying on the environment (such as the container runtime) to provide this.
Each package included in Wolfi has a build-time SBOM (Software Bill of Materials) as standard. The packages are designed to be independent to further support a minimal image. Similar to Alpine, Wolfi makes use of the apk package format but it is also designed to support glibc and musl. Images built with Wolfi are based on free and open source software.
An Aqua Security report on supply chain attacks found a 300% increase in attacks from 2020 to 2021. The identified three primary areas of risk that companies should address to help improve the security of their supply chain including vulnerable packages, compromised pipeline tools, and code and artifact integrity.
Google's Supply Chain Levels for Software Artifacts (SLSA) framework stresses the importance of automated, auditable build processes that automatically generate provenance. Provenance is metadata about how the artifact was built including information on ownership, sources, dependencies, and the build process used.
In a recent interview with InfoQ, Brian Fox, CTO at Sonatype, shared some effective practices for minimizing the impact of supply chain issues which include using SBOMs effectively. He also stressed that:
It’s an absolute priority to ensure your organization has a robust view of its in-use components so you can respond to disclosures quickly, but it’s also essential that organizations recognize new, and intentionally malicious threats from the jump.
Chainguard produced Wolfi as a means of enabling building Chainguard Images, their collection of curated distroless images built to mitigate these software supply chain issues. Lorenc states that distroless means the images are "minimal to the point of not even having a package manager (such as apt or apk)". Chainguard Images are signed by Sigstore and include SBOMs generated at build time.
Aligning to the SLSA framework, these images are built using apko and melange enabling a reproducible, declarative approach to building OCI images. Chainguard aims to build their images from the latest sources nightly. The static image is designed for running statically compiled binaries and includes some commonly required files such as root certificate data and directories such as /etc/passwd
and /tmp
. Images are also available that contain development tooling such as the Go or C compilers.
Recent vulnerabilities scans using Trivy comparing Chainguard images against the similar images shows a significant difference in detected issues:
Wolfi and Chainguard images are available free to use under the Apache License 2.0.