Wolfi is a modern, open source Linux distribution that's optimized for producing secure, minimal container images. It doesn't include a kernel; it's comprised solely of software packages meant to run on Linux systems. A broader overview on Wolfi is available at https://edu.chainguard.dev/open-source/wolfi/overview/.
In short, Wolfi can be thought of as a collection of installable packages for Linux.
Wolfi uses the APK specification, which means each package is made available as a .apk file, and APK installation is performed by the apk tool or a spec-compliant library like go-apk.
Importantly for scanners, this also means a record of all installed distro packages is available on a given filesystem at /lib/apk/db/installed.
Chainguard also provides additional packages that are very similar to Wolfi packages, built with the same tooling, and packaged using APK, but that are not publicly available.
Chainguard Images is a Chainguard product. It's a collection of both open source and private container images, served from Chainguard's registry.
When Chainguard builds these images, we draw from both the publicly available Wolfi packages and our private enterprise packages, depending on what's needed in the image. Chainguard's public images never include private enterprise packages, but Chainguard's private images almost always include packages from Wolfi.
You can browse these container images interactively at https://console.enforce.dev/images/catalog?filter=all (the authentication prompt accepts everyone).
Chainguard continuously publishes data about software vulnerabilities for Wolfi and our enterprise packages. Here's how it works.
Chainguard staff members carefully review potential vulnerabilities in our public and private packages. This analysis is captured as advisory data, which serves as the source of truth for all vulnerability investigations and conclusions.
In its raw form, advisory data is stored as YAML and version-controlled using git. We operate on the data using wolfictl. The Wolfi advisory data repository is public, while the repository for Chainguard's enterprise packages is not public.
We can use advisory data to produce different kinds of downstream data. The primary downstream use of this data is our security feeds, intended for consumption by vulnerability scanners.
A secdb is a JSON file that uses the same schema as the Alpine distro's security feeds.
Chainguard produces two secdbs: one for Wolfi, and one for all Chainguard packages (including private enterprise packages).
The "Wolfi secdb" is located at https://packages.wolfi.dev/os/security.json.
The "Chainguard secdb" is located at https://packages.cgr.dev/chainguard/security.json.
The Wolfi secdb and Chainguard secdb are each licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0).
The secdb JSON document has a number of properties. The important property for scanners to examine is packages. This is an array of package objects, where each object has a name string property and a secfixes object property.
The name value refers to the name of an APK origin package (e.g. from Wolfi) as recorded in the APK installation database.
The secfixes value maps published versions of that APK package to arrays of IDs of vulnerabilities that have been fixed as of the given package version.
For example, here's an excerpt of the Wolfi secdb:
{
"apkurl": "{{urlprefix}}/{{reponame}}/{{arch}}/{{pkg.name}}-{{pkg.ver}}.apk",
"archs": [
"x86_64",
"aarch64"
],
"reponame": "os",
"urlprefix": "https://packages.wolfi.dev",
"packages": [
{
"pkg": {
"name": "apko",
"secfixes": {
"0.7.3-r1": [
"CVE-2023-28840",
"CVE-2023-28841",
"CVE-2023-28842"
],
"0.8.0-r1": [
"CVE-2023-30551"
]
}
}
},
// ...From this data, we can see that the Wolfi package named apko, in its version 0.7.3-r1, resolved three CVEs: CVE-2023-28840, CVE-2023-28841, and CVE-2023-28842.
As an alternative to the secdb, we also provide an OSV feed. If you're unfamiliar with the OSV format, check out https://ossf.github.io/osv-schema/.
The OSV feed provides several advantages over the secdb. While the secdb uses a format unique to the Alpine community, OSV has grown into a standard used by numerous software ecosystems. On top of that, the OSV format also allows data providers (like Chainguard) to express more detail about each vulnerability and its impact on their provided software artifacts (APKs, in our case).
Chainguard provides a single OSV feed that includes security data for both Wolfi and Chainguard's private package repositories — unlike how there are two secdbs, for "Wolfi" and "Chainguard" respectively.
An index of Chainguard's OSV data is located at https://packages.cgr.dev/chainguard/osv/all.json.
Each individual Chainguard advisory is represented as its own file, where the advisory ID (prefixed with CGA-) replaces the "all" in the URL above. For example, the advisory CGA-2226-2498-2frm is located at https://packages.cgr.dev/chainguard/osv/CGA-2226-2498-2frm.json.
This OSV feed is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0).
Both Chainguard's secdbs and the OSV feed are updated frequently, as soon as new data is available in our central advisory data store. This means that both data feed mechanisms usually receive updates several times a day.
Next up: Scanning Implementation