Home
Customers
Case Study

Sourcegraph reaches “inbox zero” for CVEs with Chainguard Images

The growing use of open-source components and dependencies can create security vulnerabilities. This case study explains how Sourcegraph streamlined Common Vulnerabilities and Exposures (CVE) detection and remediation with Chainguard Images, significantly reducing known vulnerabilities.


Challenge


CVEs are a long-standing reality in software development. As more companies leverage open-source components, dependencies, and libraries to accelerate product creation and development, developers have less control over the security of their release pipelines and artifact sources. Sourcegraph helps developers stay secure and in control through a code search and intelligence tool to index and analyze large code bases that incorporate commercial open-source, local, and cloud-based repositories. ‍


When the Sourcegraph team detected a CVE, reviewing and remediating the issue was a lengthy process, involving everything from triaging the components and patching the code to creating an exception for the issue and documenting it. It was incredibly time-consuming—the equivalent of a full-time engineer spending 25% of their time detecting and remedying vulnerabilities. The complexity of identifying and resolving CVEs also had a negative effect on their sales and customer success divisions, who fielded calls from frustrated customers who couldn’t leverage the latest version of Sourcegraph software because it had known vulnerabilities.‍


When looking for a solution to detect and eliminate CVEs, Sourcegraph’s top priority was a product that avoided unnecessary packages in dependencies, employing and securing the fewest possible pieces needed to build working images. The scratch and distroless image solutions lacked adequate support, and the Sourcegraph team needed something that combined the wisdom of the open-source community and the stability and resources of an enterprise-level commercial product.


‍“We had a lot of discussions with customers who weren’t happy because they were not able to use the latest releases that we distributed. And then suddenly, as the customers were using the new releases with Wolfi OS and Chainguard Images, there was not that friction. It was really impressive.”

Diego Comas, Head of Security, Sourcegraph


Solution


Sourcegraph found the right combination of security and support in Chainguard Images, a collection of container base images that eliminates complexity and reduces security risks by shrinking the number of components needed to compile an image to the bare minimum. The platform was an overnight success: where the team previously struggled with minimizing and triaging CVEs in their most critical customer-facing images, they adopted Chainguard Images and reached inbox zero—zero known CVEs—for the first time in two years. Chainguard Images eliminated the daily headache of vulnerability maintenance and freed engineers and customer success teams to focus on customer innovation, new security controls, and other improvements.‍


Chainguard Images helps to streamline and improve customer conversations and interactions, creating friction-free deployments for users. Customers previously had to wait weeks before they were comfortable using Sourcegraph’s latest release, and it took 10–15 business days to approve and review exceptions and issue patches. Now, the containers within their control ship CVE free. Chainguard resolves any issues as part of its daily patching process, so there’s never more than a two- or three-day delay. It’s a massive improvement for Sourcegraph’s business, and they can operate with more confidence knowing their software is developed with components free of known vulnerabilities.



Share
  • If I were to describe Chainguard's value in one word, I would say — efficiency.

  • What was very interesting for us about Chainguard was it was founded and built by people who have lived and gone through the pain as we had. One thing that resonated really well with us about that product was how they were focusing on solving the problem at the right place.

    Anoosh Saboori

    Head of Product Security

    Read More
  • Vulnerability management is a huge source of toil in security engineering. As a one-person team, I can’t look at thousands of vulnerabilities and do everything else in my job. I’m lucky that I use our own products like Chainguard Images. Because we have so few CVEs in our production fleet, the vulnerability management part of my role takes so little time.

    Thomas Strömberg

    Director of Security at Chainguard

    Read More
  • Security is in the DNA of GitGuardian. And Chainguard really made sense when we started to look at how to streamline and make sure we don't ship our software with any vulnerabilities because that is a really big part of our story.

Ready to Lock Down Your Supply Chain?

Talk to our customer obsessed, community-driven team.

Get Started