The first objective behind Wolfi, which was introduced a yr in the past, is to create safe, hardened containers with zero recognized CVEs, in keeping with the undertaking maintainers in a put up.
Since its launch, the crew of maintainers at Chainguard, together with group contributors, has been targeted on aiding builders in addressing software program provide chain safety challenges. They achieved this by providing a foundational platform for constructing software program securely from the outset.
“I take advantage of Wolfi primarily on Home windows Subsystem for Linux, so my viewpoint is kind of completely different from the everyday use case, nonetheless the rationale I do it’s the similar: safety. Wolfi forces me to assume otherwise, in and safe manner, in the case of package deal choice and in the end, I can apply this data when creating new containerized functions,” mentioned Nuno do Carmo, technical author at SUSE and Wolfi Group Member.
Up to now yr, Wolfi has made important progress, boasting over 1,300 package deal configurations in its repository and a formidable 18,000+ packages in its index. With greater than 4,400 merged PRs and contributions from 60 people, the undertaking has garnered widespread assist.
One standout achievement is Wolfi’s package deal replace interval, measured in hours, making certain customers obtain well timed updates. It sometimes takes lower than 24 hours for a brand new Wolfi package deal launch after an upstream supply code replace, making it exceptionally quick.
The Wolfi group has additionally embraced scanning instruments for vulnerability assessments, together with Docker Scout, Grype, Snyk, Trivy, and Wiz, with Prisma Cloud on the horizon.
Wolfi’s technical improvements are tailor-made to handle the calls for of the quickly evolving containerized and cloud-native workloads.
The undertaking prioritizes replace pace over stability, using a rolling launch cadence with out conventional model numbers, in keeping with the crew. This ensures that customers have entry to vulnerability-free packages promptly.
Among the many technical milestones achieved up to now yr, Wolfi launched “wolfi-act,” an open-source undertaking enabling dynamic use of Wolfi packages inside GitHub Actions. It additionally prolonged assist to 64-bit ARM structure, optimizing packages for main cloud suppliers like AWS, GCP, and Azure. Moreover, the combination of the Rustls TLS library in partnership with the Web Safety Analysis Group (ISRG) enhances reminiscence security, addressing crucial vulnerabilities within the software program panorama. These developments place Wolfi as a promising distro for cloud-native growth and software program provide chain safety innovation.
“Because the start of contemporary containers, few distros had an actual affect and, Wolfi is certainly one in all them. Because the creation, the concept was to have a container (un)distro as an alternative of trimming down an current distro. It might sound to achieve the identical finish objective, nonetheless in follow this implies Wolfi can actually be a ‘safety first’ distro because it doesn’t need to be debloated,” Carmo added.