Wolfi: A Secure-by-Default Distro for Curing Container CVE Chaos
09-14, 16:30–17:10 (Europe/Berlin), Dome

Are you using container images with hundreds of known vulnerabilities?

The majority of us are using images based on the Docker official images available on the Docker Hub. This includes base images – such as Debian and Ubuntu – as well as application images such as nginx and redis. Unfortunately these images often have hundreds of known vulnerabilities due to excessively large dependency trees with out-of-date packages. This security debt can lead to unnecessary security risks and slower development cycles.

Wolfi (​​https://github.com/wolfi-dev/) is a new Linux distribution optimized for building minimal, secure container images. Wolfi maintainers prioritize a rolling release model built on a rapid package update cycle, which ensures that new vulnerabilities are remediated quickly.

This talk not only describes the problems that motivate Wolfi but also provides hands-on knowledge to help developers take advantage of Wolfi. By the end of the talk, developers will learn about packaging techniques with apko and melange, tools specifically designed to build Wolfi packages and turn them into minimal, low- or no-vulnerability containers.

Key Takeaways and Highlights

Popular, off-the-shelf base images and containers often have hundreds of known vulnerabilities (“CVEs”), which can, at worst, be a security risk and, at best, be a giant time suck.
Wolfi is a new secure-by-default linux distribution that prioritizes rapid package updates and, by extension, fast mean time-to-remediation for known vulnerabilities.
Packages in Wolfi can form the foundation of secure, minimal base images and containers, freeing developers of tedious vulnerability management tasks and increasing security for cloud-native applications.

Talk Outline

The Cloud-Native Application Status Quo: Bloated, Outdated, Vulnerability-Laden Images
Containers 101
Show the results of running security scanners against popular Dockerhub official images
Use (grype, an open source scanner) to scan golang:latest and nginx:latest. Show via command line.
Show data and analysis on package counts, package staleness, vulnerability counts of official Docker Hub images
Draw on six months of daily scanning results collected by presentation team
Overview of Wolfi
Fast package update times
Fast vulnerability mean time-to-remediation
Granular packages
Wolfi packages are often packaged at a more granular level than their counterparts in other distributions, which allows developers to pick and choose only the components that are essential for an image, without dragging in unnecessary functionality and attack surface.
Rolling release
Why not alternative approaches, either other minimal images or using other distros?
Google distroless
Debian-based so there can be slow update times for packages
Debian - Slow package updates
How to build images with Wolfi packages
Explain melange and building packages
Example of building a package with melange
Explain apko and building images
Demo of building an image with apko

James joined Chainguard after a long stint of helping customers migrate to the Cloud and Kubernetes. Security was the number one issue he saw when doing these migrations and now wants to help secure their supply chains. James is also the co-author of O’Reilly’s Networking & Kubernetes, KubePhilly Meetup organizer, ACloud Guru instructor and when he is not at a computer, you can find him in the gym doing Olympic weightlifting or on the rugby pitch.

Carlos Panato is a Staff Software Engineer at Chainguard, Inc., who’s working on development and infrastructure using Kubernetes and containers. Previously, he’s worked on development, testing, processes, and management. He contributes to several CNCF/LF projects and it is an active community member across the OSS universe