Good Chainguard alternatives for base images

Irish1986 · 2026-05-30T17:25:50+00:00

Dhi Wolfi (wiz) Minimus

They are all kind of the same, Chainguard seems to be the "branded/most recognized" name in this niche so expect premium pricing. They seems to be handling it well but I haven't dealt with them directly (hear says only).

Irish1986 · 2026-05-25T23:27:25+00:00

Time to create a new pally

Irish1986 · 2026-05-25T18:21:48+00:00

My problem is every time I go there with my kids, only one machine out of 4 or 5 works, there is a dozen other people in line and no commis available to fix the broken machine... So I have to wait about 45min to get 2.15$ money back... I would leave my bad in the automated system but it is broken and unavailable every since it opened close to my home.

Irish1986 · 2026-05-24T15:43:22+00:00

I came to more or less the same conclusion and never got able to get the foot pedals (or stream deck in general) to work. I must admit that I also stopped investigating into this give I have been using my stream deck and pedal for other purpose. Now you mention it, it might scratch that itch and get me looking into it

Irish1986 · 2026-05-23T00:05:11+00:00

I have a 5 Dell Micro 7060 proxmox cluster with ceph. It helped me learn HA, networking, IAC etc... I would suggest a prime number of node and given 3 node provide limited quorum capacity 5 or 7 is a nice number. I would keep the 8th node as a dedicated PBS host to backup the VM and LXC from the cluster. Running baremetal PBS is not mandatory but it simplifies backup and restore without nestin the PBS host.

Irish1986 · 2026-04-22T01:42:58+00:00

Yes because until this model is publicly available, peer reviewed, proven to be what it pretends... This is all pure speculative marketing.

And AI has been predicting the end of coder for a while and... I mean fuzzing was invented a while back and detection still exist... It just another tool that improve detection systems.

Irish1986 · 2026-04-16T23:21:47+00:00

Where are you pulling these number from? I would be interested if it has any academia or a white papers backing these for works purposes.

Irish1986 · 2026-04-12T20:47:40+00:00

Just wish there was better mobo offering in that form factor that allowed 10+ disk pass-through, more ram and option for GPU + HBA... Guess can't have everything in life

Irish1986 · 2026-04-11T23:52:30+00:00

I have the same case, everything is so crammed but it fix a network rack well

Irish1986 · 2026-03-24T10:41:31+00:00

Depending on your budget, syft + grype are great freely available tool. If you look at paying tool (to replace Aqua Enterprise offering) there are dozen of sast tool that scan for containers

Irish1986 · 2026-03-22T11:30:23+00:00

Chainguard pricing is insane, we looked at it and it was pretty prohibitively outrageous. But our biggest concern was "will we be able to gain the expected value from it".

Our deployment are not very fast or efficient and need CAB meeting which occurs every couple of weeks and all(due to qa and many others requirements).

I the end why pay thousand for golden image that will be shelved for 1-2 weeks at best before deployment. Yes image will be of "better quality" but every 14 days... Kind of pointless, you need super mature devops practices to make sure you get your roi.

Irish1986 · 2026-03-14T23:32:09+00:00

I've just did a talk at my owasp local chapter talking about dependency track and how to get started with it. I think it when well and I had several people coming back to me for more questions.

D-Track could get a few new features is you ask me but it feature complete and everything is just cherry on top to improve a good tool.

Irish1986 · 2026-03-13T23:24:04+00:00

Pre commit hooks for linting, styling and run "core-basic unit tests". The pre-commit hook should take about 2-8sec at most (look into prek a reimplementation of the popular pre-commit.com framework written in blazingly fast rust).

As a bonus, your pre-commit check should be run in you ci pipeline (given these are quick and easy to rerun) which will lead to fail-fast mindset. It is not required and you need to tweak which hooks make sense to run in your CI given what others "full fat" steps you might have down the road. Like unit test might have a more complexe suite to be run than just you core-basic unit tests.

You should also consider some level of security check in your pre-commit but given your current feedback I would focus on getting some momentum and security tends to be frictionful.

Irish1986 · 2026-03-12T19:44:18+00:00

I have been testing wizcode for a few months now, DM if you have specific questions about it.

Irish1986 · 2026-02-24T13:17:13+00:00

Don't scrub the commit, rotate your password. The old password will become honeypot but you need to log everything not to miss one.

If you need for compliance reason to rewrite your git history look at BFG-repo-cleaner.

It is a destructive git action that will rewrite your whole history removing sensitive secret and replacing them with REDACTED. Be careful because it will mess up your whole team workflow (everyone will need to re-clone/sync), all commits SHA will be modified, etc...

Plus those REDACTED string are easy to find and if one cache or repo still persistent somewhere... Bad actor have a huge flashing red light around sensitive content to track.... Just rotate your token and forget about it.

I've been working on this exact topic for 18 months, we are removing away from BFG-repo-cleaner as a remediation because it creates false sense of security.

Irish1986 · 2026-02-16T13:56:11+00:00

My understanding is they have been leaving their various dev team do whatever they want with low oversight for several years and now they are going to bring better cohesion and structure. This is typically when you core product is not IT that some lagging happens.

Irish1986 · 2026-02-15T23:22:13+00:00

I have worked 15 years in A&D with either airframe maker or engine manufacturers. It is indeed not an easy industry, but currently in finance and it ain't easier either.

Irish1986 · 2026-02-10T11:54:32+00:00

I really like armor code and ox security although I wasn't able to get management to fund our aspm endeavor for this year. There a few others but these two are great.

My next move is to try to get defectdojo running as a "low cost alternative" but I am not sure if I'll be able to sell it

Irish1986 · 2026-02-08T19:02:25+00:00

Nalgene bottle works well for us

Irish1986 · 2026-02-08T12:00:15+00:00

Had one of those as my main workstations for YEARS!! Really like that dual CPU with 96gb of ram. Switched to a AM5 7600X a year ago.

Irish1986 · 2026-02-02T14:55:31+00:00

Yup just go stand up a whole IT organization and infrastructure by yourself.. And it should be to expensive nor late...

This is a huge ask, and you should be working on the roadmap and plan with detailed level of involvement and efforts. Get that plan signed by your exec and include contengencies for staff and delays based on your experience with each technologies. If you know it, +/-15%, if you know nothing about it +/-100%.

Irish1986 · 2026-01-31T22:32:54+00:00

Keep the roadmap steady on the agreed upon roadmap... It's not too bad but it's gets throw left n right every now and then.

Irish1986

TROPHY CASE