Really cool to see all the hard work on Trusted Publishing and Sigstore pay off here. As a reminder, these tools were never meant to prevent attacks like this, only to make them easier to detect, harder to hide, and easier to recover from.
Readit Newsdlor commented on Analysis of supply-chain attack on Ultralytics blog.pypi.org/posts/2024-... · Posted by u/SethMLarson
dlor commented on PyPI now supports digital attestations blog.pypi.org/posts/2024-... · Posted by u/miketheman
This is awesome to see, and the result of many years of hard work from awesome people.
dlor commented on Chainguard Images now available on Docker Hub chainguard.dev/unchained/... · Posted by u/hasheddan
so...
FROM:scratch ?
Might be worthwhile restating the companies business model in announcements like this, especially for people unfamiliar with the area. This sounded like some wireguard thing from the name, only to discover it's just an org delivering statically linked binaries in a scratch docker image to defeat scanners...
There's no defeating of scanners or even static linking. It's all automation, dynamic linking and patching to make the scanners happy. We go to great lengths to make sure that the scanners actually find everything so the results are accurate.
dlor commented on Chainguard Images now available on Docker Hub chainguard.dev/unchained/... · Posted by u/hasheddan
As someone who has been watching Chainguard since they were "spun out" of Google, they started out trying to be the defacto container supply chain security company, realized everyone else was already doing that and well ahead of them, and have done a few pivots trying to find PMF. I think they've found more success being consultants, which is probably not what they hoped for.
I can confirm our business is roughly 0 percent consulting and that it's 100% selling these hardened images.
dlor commented on Chainguard Images now available on Docker Hub chainguard.dev/unchained/... · Posted by u/hasheddan
> But for security teams in large enterprises, Chainguard is like manna from heaven. They immediately understand what is really being sold: the elimination of enormous amounts of compulsory toil due to upgrading vulnerable software -- or having to nag other teams to do it.
Explain to me how Chainguard helps with this. Everywhere I've worked, this process has very specific needs depending on the companies internal and regulatory requirements. Chainguard may help with proof of origin/base imaging, but it doesn't do much beyond what container registries and tools like dependabot/snyk/dependency track already provide (not saying they're directly related), which doesn't really reduce that much toil.
The big ones that help are SBOMs, STIGs, FIPS, and CVE reduction. The images and the paperwork we provide make it so they can be dropped in to even the most regulated environments without toil.
Most of our customers use them for FedRAMP or IL 5/6 stuff out of the box.
dlor commented on Chainguard Images now available on Docker Hub chainguard.dev/unchained/... · Posted by u/hasheddan
"Today, Chainguard announced that it has become a Docker Verified Publisher (DVP)"
Anyone know how that works? Does Chainguard need to pay Docker for this? What does the verification process look like?
The program details are here: https://docs.docker.com/trusted-content/dvp-program/
dlor commented on Chainguard Images now available on Docker Hub chainguard.dev/unchained/... · Posted by u/hasheddan
I read the blog, then I clicked on the big "back" button at the top labeled "Unchained" and read that, then I went to your homepage and read that, then I clicked "get started" and read that page too.
I still have no idea what Chainguard is, or what those images do. All I know is those images are "hardened", is that the only thing they're for? Is that Chainguard's product?
Yep, that's it - the product is hardened container images!
dlor commented on Chainguard Images now available on Docker Hub chainguard.dev/unchained/... · Posted by u/hasheddan
If a primary goal of a consumer of the images is security, how can we trust the images not to have backdoors or virusesesses [extra s added for comedy]?
Great question! We take hardening of our build infrastructure very seriously, and helped build many of the OSS technologies in this space like the SLSA framework and the Sigstore project.
We produce SBOMs during the build process, and cryptographically sign SLSA-formatted provenance artifacts depicting the entire build process so you can trace a built container all the way back to the sources it was built from.
We also try to make as much of our build system reproducible as possible (but we're not all the way there yet), so you can audit or rebuild the process yourself.
dlor commented on Chainguard Images now available on Docker Hub chainguard.dev/unchained/... · Posted by u/hasheddan
EDIT: upon using dockerhub’s organization page for a bit, and realizing there’s no search on the organization page (I swear there was?), I now understand.
Why does the article present this bizarre set of instructions for grabbing the image instead of linking directly? You could just link your organization no?
> Getting started with Chainguard Developer Images in Docker Hub is easy. Follow these simple steps:
> Look up the Image you want.
> Select ‘Recently Updated’ from the dropdown menu on the right.
> Filter out the community images by selecting the filter ‘Verified Publisher.’
> Copy the pull command, paste it into your terminal, and you are all set.
Good callout, if you know how to use docker and and dockerhub then it's just as easy as `docker pull chainguard/node`
I work at Chainguard. We don't guarantee zero active exploits, but we do have a contractual SLA we offer around CVE scan results (those aren't quite the same thing unfortunately).
We do issue an advisory feed in a few versions that scanners integrate with. The traditional format we used (which is what most scanners supported at the time) didn't have a way to include pending information so we couldn't include it there.
The basic flow was: scanner finds CVE and alerts, we issue statement showing when and where we fixed it, the scanner understands that and doesn't show it in versions after that.
so there wasn't really a spot to put "this is present", that was the scanner's job. Not all scanners work that way though, and some just rely on our feed and don't do their own homework so it's hit or miss.
We do have another feed now that uses the newer OSV format, in that feed we have all the info around when we detect it, when we patch it, etc.
All this info is available publicly and shown in our console, many of them you can see here: https://github.com/wolfi-dev/advisories
You can take this example: https://github.com/wolfi-dev/advisories/blob/main/amass.advi... and see the timestamps for when we detected CVEs, in what version, and how long it took us to patch.