TNS
VOXPOP
Do You Resent AI?
If you’re a developer, do you resent generative AI’s ability to write code?
Yes, because I spent a lot of time learning how to code.
0%
Yes, because I fear that employers will replace me and/or my peers with it.
0%
Yes, because too much investment is going to AI at the expense of other needs.
0%
No, because it makes too many programming mistakes.
0%
No, because it can’t replace what I do.
0%
No, because it is a tool that will help me be more productive.
0%
No, I am a highly evolved being and resent nothing.
0%
I don’t think much about AI.
0%
Containers / Python / Security

How to Use Low-CVE Chainguard Container Images on Docker Hub

For overall security, the attributes of a vetted CVE-free or reasonably CVE-free container, which Chainguard offers, provide an effective level of protection.
Apr 19th, 2024 8:04am by
Featued image for: How to Use Low-CVE Chainguard Container Images on Docker Hub
Feature image by B. Cameron Gain.

Chainguard’s hardened container images are now available on Docker Hub. This means that you can search for Chainguard on Docker Hub, where over 400 images are listed, including Chainguard Python, which we discuss how to download and run in this tutorial article. Chainguard’s low-CVE container images are recommended as a safer way to work with containers by Docker. However, the team at Chainguard argues that for overall security, the attributes of a vetted CVE-free or reasonably CVE-free container, which Chainguard offers, provide a level of protection. Although not foolproof, these attributes, which are now being extended more directly into Docker, can save a lot of pain when having to vet and manage container vulnerabilities.

First, the key points of a Chainguard image are that it prevents software from being vulnerable, and updates and alerts are not just issued but are automatically applied, rather than grappling with the challenges of countless vulnerabilities and alerts without clear guidance on what needs fixing. While it wasn’t impossible to run a Chainguard protective container for your applications previously, it’s now a much simpler and direct process, thanks to Chainguard images’ availability on Docker Hub, the largest container repository. This extends Chainguard’s main goal of helping to isolate and manage vulnerabilities directly within each container, which are designed to be lightweight. As Ville Aikas, a co-founder of Chainguard, told The New Stack during KubeCon + CloudNativeCon Europe: “We eliminate vulnerabilities and exploits in production. That’s the simplest description of the value problem.”

Chainguard’s catalog currently has over 600 images. This means Chainguard’s images can offer protection for application container images that otherwise would not be as protected by default. In addition to Python, Chainguard images on Docker Hub cover Redis, NGINX, Prometheus and more. Additionally, Chainguard images’ light weight is due to them, by default, not having a shell or a package manager; however, they can be added for developers, if needed. The idea is to provide images that only contain the minimum amount of software needed to run the application.

Get It

We used Python for our tutorial. After pulling the Chainguard Python image and clicking on its image in the list, the container’s information is revealed (note the light weight 65.48 MB size):

To check the low-CVE count, we ran Docker Scout on a Windows PowerShell, which revealed two vulnerabilities — one of which is critical — while two is relatively low. However, this appears to be a false positive according to a reported issue on GitHub, while scans with Gype or Trivy would likely not reveal a critical vulnerability at this time although these tests were not completed:

So, all on Docker Hub, I was able to obtain a Chainguard image for Python with just a few commands. This security and the information provided is useful if I want to use the container as a developer, for example.

SBOMed

There has also been an increased interest in security SBOMs (software bill of materials) due to the helpful security advantages that they provide, namely being able to trace the sources of software code used in an application. It is also helpful for compliance, such as for meeting SOC 1 and SOC 2 (system and organization controls) requirements. In a demo, Adrian Mouat, who works developer relations for Chainguard, described how to retrieve SBOM attestations linked to a Chainguard image. As Mouat described, the SBOM provides a comprehensive list of all the software components present in the image, including their versions compiled at build time. With  Cosign, you can download these attestations, including the SBOM. Here’s how you can do it as Mouat described:

Install Cosign: First, ensure that Cosign is installed on your system. You can typically install Cosign via package managers or by downloading it directly from its repository.

Retrieve Attestations: Use Cosign to retrieve the attestations linked to the image. This may involve running commands like Cosign download or Cosign get-attestations. Check the Cosign documentation or help menu for the specific command syntax.

Access SBOM: Once you’ve downloaded the attestations, look for the SBOM among the downloaded files. The SBOM will provide a detailed list of all the software components and their versions included in the image.

Review SBOM: Review the SBOM to ensure that all the necessary software components and versions are included. This information is crucial for understanding the software dependencies and ensuring compliance with licensing requirements.

  1. With the command Cosign download attestation, the image’s signature is verified:

Here is a list of software packages in the Redis image:

But while the integration of SBOMs with Chainguard images is not unimportant, it is not the main purpose. Regarding using the SBOMs for SOC 2 compliance, it is ill-advised if you say “I have this SBOM sitting in the container, and I have checked a box,” Aikas said. “The SBOM basically adds burden because you have to do something extra and you don’t get any benefit out of it,” Aikas said. “But with the Chainguard image, you can also rely on it to have few to no vulnerabilities, which you can also scan to check, and that is the main security part of this.”

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Docker.
TNS DAILY NEWSLETTER Receive a free roundup of the most recent TNS articles in your inbox each day.