Overview on

Octo STS Overview

Tue, 23 Dec 2025 15:04:05 +0100

Octo STS is a GitHub App developed by Chainguard that acts as a Security Token Service (STS) for the GitHub API. It enables workloads running anywhere that can produce OIDC tokens to federate with GitHub, exchanging those tokens for short-lived GitHub access tokens. The primary goal is to eliminate the need for GitHub Personal Access Tokens (PATs), which are long-lived credentials that pose significant security risks.

Why Octo STS Matters

Long-lived access tokens are a common target in security incidents. When attackers gain access to a PAT, they can exploit it to access repositories, make changes, and pivot to other resources. These tokens often have broad permissions and no expiration date, making them particularly dangerous if compromised.

Chainguard VMs Overview

Tue, 21 Oct 2025 08:04:00 +0000

Chainguard VMs offer a minimal and verifiable foundation for running ephemeral workloads in cloud and on-prem hypervisor deployments, designed to complement and extend the same secure-by-default philosophy found in Chainguard Containers. With a strong focus on rapid CVE remediation and a small attack surface, Chainguard VMs are purpose-built to service the target workload and include only the packages that are essential for its operation.

Built in the Chainguard Factory, Chainguard VMs benefit from a highly automated, secure-by-design build pipeline that ensures consistent, reproducible artifacts. This streamlined process enables the delivery of VM images that are continuously updated to eliminate known vulnerabilities.

Overview of Chainguard's Package Repositories

Thu, 09 Oct 2025 00:00:00 +0000

Chainguard Containers are built using packages from the Wolfi and Chainguard OS Linux distributions. If you need to extend or customize an image, it can be useful to access these packages directly.

Chainguard offers curated package repositories to support containerized workloads and simplify dependency management. These repositories ensure you can access trusted packages — whether building custom container images, working with Chainguard OS, or using Chainguard Containers in production.

This article provides an overview of Chainguard’s package model, highlighting the different Chainguard package repositories available to customers.

What is the Chainguard Factory?

Sat, 02 Aug 2025 16:00:00 +0000

Transcript

Interviewer: So Dustin, can you explain what the Chainguard Factory is?

Chainguard Libraries overview

Tue, 25 Mar 2025 08:04:00 +0000

Chainguard Libraries provide enhanced security for open source dependencies in the Java, JavaScript, and Python ecosystems, addressing critical supply chain vulnerabilities through automated patching and continuous monitoring. Modern applications rely heavily on libraries from public repositories like Maven Central, npm Registry, and PyPI, but using these repositories introduces supply chain risks that could expose your applications and system to compromise.

Background

Open source libraries distributed through public repositories face several security challenges: maintainers may not promptly address vulnerabilities, binary artifacts can be compromised, and the sheer volume of transitive dependencies makes manual security management impractical. While these repositories enable rapid development, they also introduce supply chain risks that traditional security approaches struggle to address.

What Are Software Vulnerabilities and CVEs?

Fri, 30 Jun 2023 19:10:09 +0000

A software vulnerability is a weakness in a program which, if left unaddressed, may be used by attackers to access, manipulate, or compromise a computer system. Vulnerabilities can be introduced at different stages of development and vary in their scope, criticality, and potential attack vector depending on their root cause. As a consequence, software developers spend time and resources triaging, remediating, and patching vulnerabilities to harden their software security and to prevent attackers from exploiting unintended program behavior.

An Introduction to Rekor

Sat, 20 Aug 2022 08:49:31 +0000

An earlier version of this material was published in the Rekor chapter of the Linux Foundation Sigstore course.

Rekor stores records of artifact metadata, providing transparency for signatures and therefore helping the open source software community monitor and detect any tampering of the software supply chain. On a technical level, it is an append-only (sometimes called “immutable”) data log that stores signed metadata about a software artifact, allowing software consumers to verify that a software artifact is what it claims to be. You could think of Rekor as a bulletin board where anyone can post and the posts cannot be removed, but it’s up to the viewer to make informed judgements about what to believe.

An Introduction to Cosign

Tue, 19 Jul 2022 08:49:31 +0000

An earlier version of this material was published in the Cosign chapter of the Linux Foundation Sigstore course.

Cosign supports software artifact signing, verification, and storage in an OCI (Open Container Initiative) registry. While Cosign was developed with containers and container-related artifacts in mind, it can also be used for open source software packages and other file types. Cosign can therefore be used to sign blobs (binary large objects), files like READMEs, SBOMs (software bills of materials), Kubernetes Helm Charts, Tekton bundles (an OCI artifact containing Tekton CI/CD resources like tasks), and more.

Why Care About Software Vulnerabilities?

Thu, 13 Jul 2023 19:46:58 +0000

Software products are prone to vulnerabilities which, if exploited by an attacker, may negatively impact the systems and consumers relying on them. Attacks against vulnerable software systems can result in the unintended exposure and misuse of sensitive data (like the theft of user account credentials). In other cases, these attacks could affect the provision of a service, or compromise critical infrastructure that relies on the software. Given the considerable threat that they can pose, it is important that developers spend time mitigating vulnerabilities to protect against hackers seeking to exploit them.

Infamous Software Vulnerabilities

Fri, 21 Jul 2023 19:16:39 +0000

Software vulnerabilities vary in their severity – some are difficult to exploit and have minimal implications, while others can be exploited easily, giving an attacker significant leverage over a computer system. In cases where widely-implemented software contains high-severity vulnerabilities, the damage caused by their exploitation can affect millions of developers and services worldwide.

In this article, you will learn how the KEV Catalog tracks known exploited software vulnerabilities, and how it serves as a tool for developers and federal agencies. In addition, you will explore Log4Shell, Heartbleed, and Shellshock, three infamous software vulnerabilities which have had major impacts on software security worldwide.

Software Vulnerability Remediation

Mon, 31 Jul 2023 14:04:10 +0000

At worst, a software vulnerability can impose a critical security flaw that warrants attention. Developers care about mitigating software vulnerabilities because their presence may harm the integrity of their product, negatively affect downstream users, or slow down efforts toward meeting regulatory requirements. However, modern software development practices which incorporate third-party packages in addition to newly scripted code can complicate the vulnerability remediation process. Keeping track of how and where vulnerabilities are introduced, as well as what introduced them, is an arduous task when multitudes of dependencies are working together.

Kubernetes Policy Enforcement with OPA Gatekeeper

Tue, 02 Sep 2025 10:00:00 +0000

Gatekeeper is an admission controller that enforces policies in Kubernetes clusters. This article describes how it can be leveraged to ensure resources follow best practices related to the use of Chainguard Containers.

Prerequisites

To follow the examples in this guide, you will need the following:

Overview of Roles and Role-bindings in Chainguard

Wed, 03 Apr 2024 08:48:45 +0000

In the context of Chainguard, an identity represents an individual user within an organization. Chainguard’s IAM model allows administrators to assign identities to specialized roles which define the level of access that an identity has to the organization’s resources. You assign a role by creating a role-binding, which is what ties an identity to a given role.

This guide serves as an overview of what roles and role-bindings are within the context of Chainguard. It also outlines how you can manage roles and role-bindings with chainctl.

Using Custom Identity Providers to Authenticate to Chainguard

Mon, 17 Apr 2023 08:48:45 +0000

The Chainguard platform supports Single Sign-on (SSO) authentication for users. By default, users can log in with GitHub, GitLab, and Google, but SSO support allows users to bring their own identity provider for authentication. This is helpful when your organization mandates using a corporate identity provider — like Okta or Azure Active Directory — to authenticate to SaaS products.

Usage

Once an administrator has configured an identity provider and set up their organization, users can authenticate at the command line and in the web console using the identity provider’s organization.

Cosign: The Manual Way

Wed, 29 Mar 2023 08:49:31 +0000

Note: This tutorial is no longer actively maintained and may reference outdated versions of Cosign and related tools. While the underlying cryptographic concepts remain relevant, we recommend consulting the current Cosign documentation for up-to-date usage guidance. This content is preserved for educational purposes and may still provide value for those interested in understanding the mechanics of software signing.

When I first used Cosign, the software artifact signing CLI from the Sigstore project, I was amazed at how painless signing and verifying could be.

Kubernetes Policy Enforcement with Kyverno

Fri, 26 Sep 2025 10:00:00 +0000

Kyverno is an admission controller that enforces policies in Kubernetes clusters. This article describes how it can be leveraged to ensure resources follow best practices related to the use of Chainguard Containers.

Prerequisites

To follow the examples in this guide, you will need the following:

Chainguard Libraries for Python overview

Wed, 09 Apr 2025 04:00:00 +0000

Introduction

Chainguard Libraries for Python provides enhanced security for the vast Python ecosystem by rebuilding PyPI packages with comprehensive supply chain protection and automated patching. With over 600,000 packages on the Python Package Index (PyPI) serving application development, machine learning, and data science needs, Chainguard addresses the critical security challenges of depending on packages from untrusted sources by rebuilding them within the controlled Chainguard Factory environment. In addition, Chainguard eliminates security risk by remediating High and Critical vulnerabilities across older package versions where upstream maintainers are not able to prioritize fixes.

Chainguard Libraries FAQ

Tue, 25 Mar 2025 08:04:00 +0000

What security issues can Chainguard Libraries prevent?

As detailed on the background and introduction pages, Chainguard Libraries are built directly from source in the Chainguard Factory and the resulting binaries are directly provided to you by Chainguard. Chainguard operates the whole supply chain for the package lifecycle as one reliable, secure partner. You can therefore avoid issues from the following software supply chain attack surface points:

Getting Started with Distroless Container Images

Thu, 21 Mar 2024 08:49:31 +0000

About Distroless Container Images

Distroless container images, like the ones built by Chainguard, are a type of container image designed to include only essential software required to run an application or service. Unlike traditional images based on Debian or Ubuntu — which include package managers, utilities, and shells — Chainguard’s distroless images remove these components to significantly reduce attack surface and minimize vulnerabilities.

What are Containers?

Tue, 17 Oct 2023 20:02:23 +0000

Maximizing the performance of computer hardware has been a critical undertaking for software engineers for decades. First developed in the 1960s, virtual machines (VMs) were an early answer to this challenge, allowing a single computer to host multiple, isolated operating systems. VMs enable different guest users or processes to share physical infrastructure while keeping their concurrent operations separated. However, as VMs are both slow to initialize and resource-intensive, a modern solution arrived in the early 2000s: containers.

melange Overview

Mon, 17 Oct 2022 11:07:52 +0200

melange is an apk builder tool that uses declarative pipelines to create apk packages. It is part of the open source tooling used for Wolfi, which is the operating system used to power Chainguard Containers.

From a single YAML file, users are able to generate multi-architecture apks that can be injected directly into apko builds.

The following diagram contains an overview of the apko and melange ecosystem and how they work together to compose apk-based images, using either Wolfi or Alpine as base system.

apko Overview

Mon, 10 Oct 2022 11:07:52 +0200

apko is a command-line tool designed to create single-layer container images based on the apk package format. It was so named as it uses the apk package format and is inspired by the ko build tool.

apko is part of the open source toolkit developed by Chainguard to build Chainguard Containers. The following diagram contains an overview of the apko ecosystem and how it interacts with melange for building apk-based images, using either Wolfi or Alpine as base system.

How Chainguard Containers are Tested

Thu, 21 Mar 2024 11:07:52 +0200

Chainguard Containers are minimal, distroless container images that you can use to build and run secure applications. Given the importance of secure, highly performant images, Chainguard performs testing to ensure our container images match the functionality of upstream and other external counterparts.

This article provides a high-level overview of Chainguard’s approach to testing when building new container images to ensure their security and consistency with comparable container images.

Build requirements for new container images

Chainguard has a set of requirements in place that new container images must meet in order to be included in our Containers Directory. These requirements fall into two categories:

What does the Chainguard Factory build?

Sat, 02 Aug 2025 16:00:00 +0000

Transcript

Interviewer: So Dustin, what does the Factory actually build every day?

Touring the Chainguard Factory

Sat, 02 Aug 2025 16:00:00 +0000

Transcript

Interviewer: So Dustin, can you give us a quick tour of the Chainguard Factory?

False Positives and False Negatives with Container Images Scanners

Thu, 14 Sep 2023 16:59:04 +0000

A vulnerability scanner is a tool that analyzes your software components and reports any CVEs it finds. Using a vulnerability scanner to find CVEs that impact your system is a critical step in software vulnerability remediation, but as you begin to triage scanner-reported vulnerabilities, you may find that your scanner’s results are not perfectly accurate.

The goal of a vulnerability scanner is to identify the vulnerabilities that impact your container images, which can be considered true positive vulnerabilities. Sometimes, a scanner surfaces CVEs which are not actually impacting your images, which are called false positive vulnerabilities. Your scanner may even miss some vulnerabilities that are impacting you, termed false negative vulnerabilities.

chainctl Usage

Mon, 03 Mar 2025 08:49:15 +0000

Chainguard’s chainctl (Chainguard Control) is a command-line interface that provides comprehensive control over your Chainguard resources, including container images, identity management, and security configurations. This CLI tool enables automation and advanced operations beyond what’s available in the Chainguard Console, making it essential for DevOps workflows and CI/CD integration.

Like most control commands that end with ctl, such as systemctl or loginctl, chainctl uses the familiar <context> <noun> <verb> syntax.

This page lists a curated set of chainctl resources to help you get started.

Can anybody build Chainguard Containers themselves?

Sat, 02 Aug 2025 16:00:00 +0000

Transcript

Interviewer: But everything is open source—can anybody build the images themselves?

Chainguard Libraries for JavaScript overview

Thu, 05 Jun 2025 09:00:00 +0000

Chainguard Libraries for JavaScript is a major ecosystem supported by Chainguard Libraries. The JavaScript ecosystem consists of thousands of open source projects from the communities around JavaScript, TypeScript, Node.js, React, Vue.js, Angular, Svelte, Next.js, Express, and many others.

Chainguard Libraries for JavaScript provides access to a growing collection of popular Javascript packages rebuilt from source. New releases of packages requested by customers are built and added to the index by an automated system. These libraries can also be consumed through the Chainguard Repository, which provides a single endpoint for package retrieval and supports configurable security policies for both Chainguard-built and upstream packages.

Chainguard Libraries for Java overview

Tue, 25 Mar 2025 08:04:00 +0000

Introduction

Chainguard Libraries for Java provides enhanced security for the Java ecosystem by rebuilding popular Maven dependencies with the latest patches and comprehensive supply chain protection. As the first supported ecosystem in Chainguard Libraries, this service addresses critical vulnerabilities in the vast Java/JVM ecosystem that spans hundreds of projects from organizations like the Apache Software Foundation, Eclipse Foundation, and numerous independent maintainers.

How does Chainguard Libraries help developers?

Sat, 02 Aug 2025 16:00:00 +0000

Transcript

Interviewer: So how does Chainguard Libraries help developers?

Inside the Chainguard Factory - Assemble 2025

Thu, 31 Jul 2025 16:00:00 +0000

Transcript

Sam (Introduction): We’re very fortunate our Vice President of Engineering, Dustin Kirkland, is going to be walking us through the Chainguard Factory, which you would have heard a little bit about during the keynote today. So I’ll go ahead and turn things over to Dustin. We will have time at the end for questions, so keep that in mind. Thank you.

Chainguard Libraries for Java

Wed, 18 Jun 2025 21:00:00 +0000

The May 2025 Learning Lab with Manfred Moser covers Chainguard Libraries for Java. It starts with an overview about libraries and the Java ecosystem and progresses to a demo with Apache Maven and Sonatype Nexus.

Sections

0:00 Introduction and agenda
2:38 Chainguard and containers
3:47 Chainguard Factory
4:57 Concepts - from containers to libraries
9:00 Java and Java libraries
12:45 Software supply chain of libraries and attacks
19:27 Dependency supply in Java
20:30 Repository concept and Maven Central
24:32 Chainguard Libraries for Java and repository manager intro
28:17 Developer tools
29:21 Demo start and setup with chainctl
32:55 Sonatype Nexus configuration
37:30 Maven configuration
40:41 Example project setup, build, and results
44:57 Dependency list and tree
47:00 Results and verification
49:37 Summary
50:43 Up next
52:55 Questions

Demo

Following are some of the commands used in the demo. More information can be found in the slide deck, the linked resources, and the video.

Wolfi Overview

Thu, 01 Sep 2022 08:49:31 +0000

Wolfi is a community Linux undistro designed for the container and cloud-native era. Chainguard started the Wolfi project to build Chainguard Containers, our collection of curated distroless images that meet the requirements of a secure software supply chain. This required a Linux distribution with components at the appropriate granularity and with support for glibc.

Building our own undistro also allows us to ensure packages have full provenance and metadata for supporting modern supply-chain security needs.

Using Init Containers with Chainguard Containers

Mon, 04 Aug 2025 15:21:01 +0000

Chainguard Containers are designed with minimalism and security in mind. By including fewer packages and tools, Chainguard Containers have a smaller attack surface than their counterparts. However, there are cases where the external counterparts have certain desirable features, like useful startup scripts or configuration defaults.

There are several ways to customize Chainguard Containers. For example, you can use Custom Assembly to add packages to an otherwise minimal Chainguard container image. Changing a Chainguard container image’s configuration — such as updating its entrypoint or adding startup scripts — requires a different strategy. One method for doing so in Kubernetes deployments is to use init containers.

An Introduction to Fulcio

Fri, 19 Aug 2022 08:49:31 +0000

An earlier version of this material was published in the Fulcio chapter of the Linux Foundation Sigstore course.

Fulcio is a certificate authority that binds public keys to identities such as email addresses (such as a Google account) using OpenID Connect, essentially notarizing a short-lived key pair against a particular login. A certificate authority issues digital certificates that certify that a particular public key is owned by a particular entity. The certificate authority therefore serves as a trusted third party, helping parties that need to attest and verify identities.

Policies

Thu, 21 May 2026 08:48:45 +0000

Policies enable you to filter and restrict Chainguard artifact updates. You do this by defining policies that control and restrict versions that will be pulled from Chainguard.

Note: Policies is in beta. Contact your Chainguard account team to enable it for your organization.

Definitions

This is how policies uses the following terms.

Learning Labs

Wed, 18 Jun 2025 21:00:00 +0000

Learning Labs are regularly run, virtual events from Chainguard that provide educational and training material about Chainguard products, software supply chain security, and related topics.

Lab Notes

The lab notes often include demo projects, a slide presentation, sample commands, links to specific sections in the video, and pointers to more resources:

Introduction to the Chainguard Terraform Provider

Sun, 28 Jan 2024 15:56:52 -0700

Terraform is an infrastructure as code tool that allows users to declaratively configure resources in cloud providers like AWS and GCP, SaaS platforms, and many other API-driven environments. Terraform providers are written by third-party developers to allow Terraform to manage resources in their environment.

The Chainguard Terraform provider enables users to manage resources on the Chainguard Platform, such as identities, role-bindings, custom roles, and more. This guide provides a brief introduction to the Chainguard Terraform provider, including how to configure it and use it to manage your Chainguard resources.