Wolfi: A Linux undistro with security measures for the software supply chain

Wolfi is a new community Linux undistribution that combines the best aspects of existing container base images with default security measures that will include software signatures powered by Sigstore, provenance, and software bills of material (SBOM).

Wolfi Linux

Software supply chain security

Software supply chain security is unique – you’ve got a whole lot of different types of attacks that can target a lot of different points in the software lifecycle. You can’t just take one piece of security software, turn it on, and get protected from everything.

The ecosystem’s push for software supply chain integrity and transparency has left organizations struggling to build software security measures like signatures, provenance, and SBOMs into legacy systems and existing Linux distributions.

Recently, the U.S.’s most prestigious security agencies (NSA, CISA, and ODNI) tried to add to the conversation and released a 60+ page recommended practice guide, Securing the Software Supply Chain for Developers.

Wolfi Linux features

Chainguard’s new Linux undistribution and build toolchain, Wolfi, is designed from the ground up to produce container images that meet the requirements of a secure software supply chain.

“We refer to Wolfi as an undistro because it is not a full Linux distribution designed to run on bare-metal, but a stripped-down one designed for the cloud-native era. Most notably, we don’t include a Linux kernel, instead relying on the environment (such as the container runtime) to provide this,” said Dan Lorenc, CEO at Chainguard.

The key features of Wolfi are:

  • Provides a build-time SBOM as standard for all packages
  • Packages are designed to be granular and independent, to support minimal images
  • Uses the proven and reliable APK package format
  • Declarative and reproducible build system
  • Designed to support glibc and musl

“SCA vendors would have the market believe that software supply chain vulnerabilities are among the normal class of CVEs that can be detected by scanning software packages and distributions. But most scanners use package databases to see what packages are installed inside of containers, and much of today’s software is being installed manually, rather than via package managers. Further, Linux distributions themselves typically only distribute stable versions of software for long periods of time, whereas developers installing software are (again) doing manual installations to get the latest versions, or the mostly newly patched versions. As a result, there is a huge disconnect between what scanners are able to detect by way of software supply chain security CVEs, and what actually exists in the typical environment. Wolfi is a new undistro that is taking constantly updated base container images that aim for zero-known vulnerabilities, to eliminate this lag between common distributions and container images, and users running images with known vulnerabilities. Wolfi closes this gap by making sure that container images have provenance information (where images come from, and making sure they are not tampered with), and makes the generation of SBOM something that can happen during the build process, and not at the end,” Lorenc told Help Net Security.

Wolfi is available for download on GitHub.

Don't miss