Revolutionizing container security and CVE management
Ensuring security within container environments has become a pivotal challenge. However, there are ways in which we can confidently approach this challenge. Enter Wolfi — a “secure-by-default” undistro, specifically designed to address vulnerabilities in container ecosystems.
The essence of Wolfi
Wolfi stands out as a solution tailored for securing containers against Common Vulnerabilities and Exposures (CVEs). Its architecture is designed to mitigate risks inherent in the software supply chain, providing peace of mind to developers and IT professionals.
In today’s software development landscape, a staggering 70–90% of any production stack consists of open-source software. Open-source technology offers immense value, particularly in its flexibility and community-driven innovation. Wolfi builds on these strengths, further enhancing security to mitigate the traditional vulnerabilities often associated with open-source solutions.
Wolfi in action: A paradigm shift
Wolfi introduces a new approach to building secure containers, moving away from using distroless methods and declarative YAML files to create minimal and more secure images. Wolfi uses tools like apko and melange to create OCI-compliant container images, ensuring fully reproducible builds. This method significantly reduces the risk of software supply chain attacks, helps with debugging, and cleanly separates packaging applications from building and configuring runtime images.
Apko and melange shift the focus from procedural Dockerfile instructions to a declarative, reproducible approach. This shift not only streamlines the container-building process but also enhances security by reducing potential attack surfaces.
Future-proof your container security with Chainguard Images
With the increasing reliance on containers in software development, Wolfi represents a significant step forward in securing these environments and is what powers our Chainguard Images solution. It offers a more reliable, efficient, and secure alternative to traditional container-building methods.
Chainguard Images are built with Wolfi to produce container images that meet the requirements of a secure software supply chain. Customers and users of Chainguard Images benefit from a secure software baseline, images with low-to-zero known CVE counts, and a reduced attack surface from using a minimal set of packages that result in a smaller image size, which helps protect against common “living off the land attacks.”
For those eager to delve deeper into Wolfi’s capabilities and its impact on software supply chain security, watch my talk from Lonestar Application Security Conference (LASCON) titled Wolfi: A Secure-by-Default Distro for Curing Container CVE Chaos. My talk not only expands on the topics covered here, but also provides practical applications and a comprehensive understanding of Wolfi’s role in revolutionizing container security. Get started with Wolfi on GitHub today and watch the full video below.
If you are interested in learning more about how Chainguard Images can strengthen your container security or vulnerability management approach, reach out to our team.
Share this article
Related articles
- product
How does Chainguard prevent malware in Chainguard Libraries?
Alex Burrage, Director of Product Security
- product
Chainguard EKS add-ons are now available in the AWS Marketplace
Brad Bock, Director, Product Management, and Anushka Iyer, Product Marketing Manager
- product
Going beyond CVEs: Chainguard’s one day KEV SLA
Reid Tatoris, VP of Product, and Alex Burrage, Director of Product Security
- product
Chainguard Libraries is now free until June 30, 2026 — no commitment required
Ross Gordon, Staff Product Marketing Manager
- product
SecDB is the past, OSV is the future
Tazin Progga, Senior Product Manager
- product
Introducing the Activity Center: One place for every change that matters
Matt Stead, Product Marketing Manager, and Ron Norman, Director of UX and Design