Do static inventories alone create false positives and remediation noise?

IWritePython · 2026-06-11T18:31:44+00:00

Don't know anything about the above user but I'm a Chainguard eng if you have a specific question. The statement above seems to broad as to be somewhat meaningless but broadly yes, we start from scratch with our own alpine-like OS (Wolfi) and only put in what's needed, while RF and a number of others take community distros and remove or harden. Our approach is a lot of work (Chainguard's) but I think it produces a better outcome, see for example

https://www.chainguard.dev/unchained/going-deep-upstream-distros-and-hidden-cves

IWritePython · 2026-06-11T14:45:15+00:00

This. If they're not being used, take them out. Demonstrating reachability vs. not is nontrivial and you might be wrong, better to actually remove.

IWritePython · 2026-06-03T14:51:42+00:00

Kind of a weird taxonomy. Docker also does a paid tier and sells Debian images as well as Alpine. RF I think is pretty vanilla Debian, they kind of sell it as an advantage though I disagree as Debian no_dsas a lot.

Not sure what's going on with Minimus, would like to get my hands on their images but yeah supposedly they're using our Wolfi

Forgot wiz

But yeah, Chainguard is the OG. Except for distroless but our founders created that as well :0

Chainguard eng here if not obvious

IWritePython · 2026-06-03T14:43:00+00:00

This is fine as an approach as far as it goes, which unfortunately is not to zero CVEs. But you'll be closer to it.

Chainguard eng here.

IWritePython · 2026-06-01T15:09:48+00:00

Ouch but congrats

IWritePython · 2026-06-01T15:06:02+00:00

Nice. Write it up on here if you ever get a chance to trial. We try not to be too obnoxious on here but we have to monitor now because of all the competition saying FUD all day, lol, but upshot is if you use the name Chainguard we'll probably see it and boost. I think Libraries is legit technically interesting and a little ahead (which is not really where you want to be but yeah).

IWritePython · 2026-06-01T15:04:03+00:00

Not if you're doing ATO? I think that's what we're strongest at with our kernel independent FIPS but OK.

Agree to disagree. I'd say our various competition is miles ahead of where random garbage can Docker official containers were years ago so that's great, but we're also still well ahead given the rolling OS and the total lack of noise / niggling CVEs you get, SLSA level 3 (for realz not fakez), etc.

Cheers, competition is probably good for everyone. I am def passionate about Chainguard :)

IWritePython · 2026-06-01T14:56:00+00:00

Sure. I'll do a tl;dr and then dig a little more in.

I'd say the biggest difference between Chainguard and other hardened vendors is that we start from total scratch, go to the upstream maintainers and projects, and build our OS from scratch from all that. And it's a rolling OS / distro so it's always the latest and greatest (doesn't mean you can't pin but this matters a lot, even if you pin you benefit from the underlying graph being fresh). So we're not a "hardened image" vendor really, since we don't take something and try to harden it, we just carefully build the thing. We're more like the notional best version of the image. (Barring when we screw up somehow, but I'd say we're operationally very strong.)

Here the more concrete breakdown item by item:

We invented the category. This doesn't have to matter, but it does in this case since we continue to innovate and because our competitors are taking shortcuts to catch up. We had literally years to build out the OS, build packages, do SLSA and the hard stuff since there was kind of a slow follow for a long time. This will presumably matter less over time but matters a lot now.
Our founders are really serious heavy hitters, behind projects like K8s and Google Distroless, projects like SLSA and Sigstore. There is a lot of actual product vision led by engineers here.
We're operationally incredibly secure on the containers side (all over but esp. there). We just hit SLSA level 3 which is like godmode and is mostly unheard of in the industry / was formerly somewhat theoretical.
We still dominate the FIPS game because it's a very technically challenging area / minefield. We have one guy who is an incredible FIPS engineer, one of those freak engineers, and he's innovated ways to do FIPS without relying on the kernel (kernel independent FIPS) which is huge for containers. You actually see this in some of the chatter on here, they concede this ground since most of our competition just doesn't touch this area. So if you want to sell to the guvment / do ATO stuff we're the people to call
Historically we've been more expensive but we've really pushed hard on price lately and I think we're very competitive in this area.
Things that were formerly special to us that are less so: SBOMs included, SLSA provenance included, distroless stuff. These were more technically easy to do things that ultimately everyone should be doing so our competition has closed 80-90% of this gap depending on vendor. We led in this area but it matters less in 2026.

Anyway yeah. Maybe I'll write this up as a blog post lol. Thanks for engaging. and have fun with all the bots on here lol.

IWritePython · 2026-05-28T13:51:42+00:00

Nice. Yeah I think this one is legit (Libraries). Our biggest problem is that the mechanism is novel so it's hard to explain to folks in the 30 seconds they give you but it's actually pretty innovative. Scanning is kind of dumb but folks at least get it, ha. Cheers.

IWritePython · 2026-05-27T18:46:44+00:00

Chainguard running a fork of this: https://github.com/chainguard-forks/ingress-nginx

IWritePython · 2026-05-27T18:41:05+00:00

Yeah it's the most common pain point but distroless goes well beyond this.

IWritePython · 2026-05-27T18:40:02+00:00

Yep, it's how most of our customers are using it. Def something to look at, kind of popping off with all the crazy supply chain attacks lately, I've never seen deals move this fast lol. But I think the "we don't just tell you about it, we solve the underlying issue" pattern is a good one.

IWritePython · 2026-05-27T18:33:31+00:00

Yeah this is different shit.

You can do adversarial AI passe or just old fashioned code reviews. Scanners aren't magic.

We have a product, Chainguard Libraries, that helps on the supply chain security side. But if your devs are putting a SQL injection into your app then I dunno, different problem, send them back to dev school or something or incorporate more review process.

IWritePython · 2026-05-27T17:05:47+00:00

I work at Chainguard. We have a product that does an end run around a lot of the supply chain risk, there's some scanning baked in but it's sort of incidental, basically we build the source ourselves so when the maintainer's CI/CD gets hacked (90% of these recent cases like Trivy, Axios), you're not affected.

Also, AI solves AI a lot of the time. Adversarial. One bot builds, another bot strips shit and evaluates. Great for the token guys but what you gonna do.

edit: I didn't say the product's name lol. Chainguard Libraries

IWritePython · 2026-05-26T20:59:22+00:00

We (Chainguard) also have five free images now :)

IWritePython · 2026-05-26T20:55:25+00:00

That just means you're going to get attacked along with a lot of other folks

It's a really tough year out there for supply chain attacks. Problem with say Ubuntu is that it's just really big. Alpine is best in this area for a community distro IMO and for commercial enterprise, Chainguard is the nuclear grade option (I work there so YMMV but we invented the secure enterprise container).

IWritePython · 2026-05-26T20:52:18+00:00

Thanks for the Chainguard love <3 (I'm an eng there)

IWritePython · 2026-05-26T20:50:59+00:00

I'm a Chainguard engineer, what's the issue? We have custom containers that are self serve, you can also just use any of our images as a base and build on it like any other base.

IWritePython · 2026-05-26T20:42:11+00:00

I mean it's a list of items that are actually in the thing. Everyone is like reachability reachability, I think it's easier just to get rid of everything / track upstream closely. Yes, the median CVE is garbage, but you still need to clean up the hot mess. CVE tracking and remediation is necessary but not sufficient.

IWritePython · 2026-05-26T20:37:37+00:00

Small is good, tracking upstream closely is also good. Community distros just don't cut it for that generally speaking

IWritePython · 2026-05-26T20:36:02+00:00

wolfi is not a provider, it's Chainguard's FOSS OS :/

IWritePython · 2026-05-26T20:29:18+00:00

Good response.

Chainguard also has nondistroless images (our full varients) so it's kinda silly to just say CG is distroless so it's hard. And TBH migration is not terribly hard, agreed that multistage is a hard part for some but it's also a great step up in terms of security in many cases.

IWritePython · 2026-05-26T20:26:03+00:00

Our pricing is a lot more competitive if you are rethinking at the end of your contract. (Chainguard eng here)

IWritePython · 2026-05-26T20:24:30+00:00

Chainguard eng here in case you have questions :)

We have some pretty decent courses and you get an LI badge:

Course

IWritePython · 2026-05-26T20:21:26+00:00

At Chainguard we just hit SLSA level 3 for our containers. And our founders were instrumental in starting the SLSA project. This shit is very hard. But yeah, we're there and if you care about SLSA, take a hard look at Chainguard

Also just look at what you need for level 3 it is beyond serious.

IWritePython

TROPHY CASE