[Minimal - CVE 취약점이 최소화된 컨테이너 이미지 컬렉션

Chainguard의 apko와 Wolfi 패키지를 기반으로 한 Minimal 컨테이너 이미지 컬렉션은 프로덕션 환경의 보안 취약점을 최소화하기 위해 설계되었습니다. 매일 재빌드되어 최신 보안 패치를 반영하며, 불필요한 패키지를 제거해 공격 표면을 최소화합니다. 주요 런타임 및 서비스용 이미지를 제공하며, 모든 이미지는 비 루트 사용자로 실행되고 기본적으로 쉘이 포함되지 않습니다. CVE 게이트를 통과하지 못하면 빌드 실패로 처리되며, cosign 기반 서명과 SBOM 자동 생성으로 공급망 보안을 강화합니다.

https://news.hada.io/topic?id=26354

#container #security #cve #chainguard #apko

What I did in the last couple of weeks (part 8):

Did I mention previously that building container images with apko using packages from WolfiOS, is a very pleasant and nice experience?

Well, I needed to build an image in GitlabCI. For GitHub, there is an official apko action that works flawlessly.
For GitlabCI though I encountered that the official apko image is not working due to the lack of a shell inside the container (which normally is a good things safety-wise).

So, I built my own apko image on GitHub and then used that in the GitlabCI to build an image using apko there.

https://github.com/kastl-ars/wolfi-apko-with-bash

I also opened an issue with the apko maintainers for this, as GitlabCI support would be really nice.

BTW, huge shoutout to the Chainguard folks for maintaining WolfiOS and so many safe and small images!

#container #GitlabCI #cicd #apko #chainguard #

This week I have been building some #container images for e.g. #renovatebot and I must say I really dig #Chainguard and the #WolfiOS ecosystem. Building an image locally using #apko was a breeze. Building on #GitHub was easy due to their Github Action.

And the long list of packages available is nice.

And the list of CVEs in the image is really short.

I'll try to get my hands dirty with melange and try to build a Pluto package for WolfiOS...

I've been wanting to kick the tires on #melange and #apko for awhile. Finally found an excuse this week and I'm in 😍 got a 5.4mb nginx image w/ 0 vulns (snyk/trivy) and a custom module added.

Now to figure out a new pipeline for managing these not-on-my-box.

While using #apko and #melange to build container images for both architectures amd64/arm64 and encounter with the following error:

`bwrap: execvp /bin/sh: Exec format error`

Use Tõnis Tiigi's binfmt project to install qemu-user emulators for target architectures you want to build for👋

> $ docker run --privileged --rm tonistiigi/binfmt --install all