Securing Software Repositories with the OpenSSF

Here at Chainguard, we believe that everyone benefits from better security in open-source software. That’s why we’re so excited that the OpenSSF has just created a new “Securing Software Repositories” working group, which aims to bring maintainers of software repositories and package managers together to share and develop…

Intro to OCI Reference Types

What is OCI? OCI stands for Open Container Initiative. This is a group which oversees a collection of open specifications relating to containers. If you have ever run an application on Kubernetes, then you have leveraged OCI. There are 3 primary OCI specifications: (1) the runtime spec, which defines how…

YOLO Levels: Insecure Your Software Supply Chain!

There exists a widespread misperception that making your software supply chain secure is hard, that few companies can achieve SLSA level 4. We call bullshit. For instance, signing artifacts with Sigstore is easy. Making your software supply chain ultra insecure, on the other hand, is hard work. That’s why…