The first purpose behind Wolfi, which was introduced a 12 months in the past, is to create safe, hardened containers with zero recognized CVEs, in line with the challenge maintainers in a publish. 

Since its launch, the crew of maintainers at Chainguard, together with neighborhood contributors, has been centered on aiding builders in addressing software program provide chain safety challenges. They achieved this by providing a foundational platform for constructing software program securely from the outset.

“I exploit Wolfi primarily on Home windows Subsystem for Linux, so my viewpoint is kind of completely different from the standard use case, nevertheless the rationale I do it’s the similar: safety. Wolfi forces me to assume otherwise, in an excellent and safe manner, relating to bundle choice and in the end, I can apply this data when creating new containerized functions,” stated Nuno do Carmo, technical author at SUSE and Wolfi Group Member.

Prior to now 12 months, Wolfi has made important progress, boasting over 1,300 bundle configurations in its repository and a formidable 18,000+ packages in its index. With greater than 4,400 merged PRs and contributions from 60 people, the challenge has garnered widespread help.

One standout achievement is Wolfi’s bundle replace interval, measured in hours, guaranteeing customers obtain well timed updates. It sometimes takes lower than 24 hours for a brand new Wolfi bundle launch after an upstream supply code replace, making it exceptionally quick.

The Wolfi neighborhood has additionally embraced scanning instruments for vulnerability assessments, together with Docker Scout, Grype, Snyk, Trivy, and Wiz, with Prisma Cloud on the horizon.

Wolfi’s technical improvements are tailor-made to handle the calls for of the quickly evolving containerized and cloud-native workloads. 

The challenge prioritizes replace pace over stability, using a rolling launch cadence with out conventional model numbers, in line with the crew. This ensures that customers have entry to vulnerability-free packages promptly.

Among the many technical milestones achieved prior to now 12 months, Wolfi launched “wolfi-act,” an open-source challenge enabling dynamic use of Wolfi packages inside GitHub Actions. It additionally prolonged help to 64-bit ARM structure, optimizing packages for main cloud suppliers like AWS, GCP, and Azure. Moreover, the combination of the Rustls TLS library in partnership with the Web Safety Analysis Group (ISRG) enhances reminiscence security, addressing essential vulnerabilities within the software program panorama. These developments place Wolfi as a promising distro for cloud-native improvement and software program provide chain safety innovation.

“For the reason that start of recent containers, few distros had an actual influence and, Wolfi is certainly one in all them. For the reason that creation, the thought was to have a container (un)distro as a substitute of trimming down an current distro. It might sound to achieve the identical finish purpose, nevertheless in apply this implies Wolfi can actually be a ‘safety first’ distro because it doesn’t need to be debloated,” Carmo added.