Not All SBOMs Are Created Equal

Software Bill of Materials documents, or SBOMs, have become a hot topic in software supply chain security these days, with everyone bringing their own solution to the table in response to President Biden’s executive order last year.  While vendors advertise that these solutions are easy to use and accurate,…

Introducing apko: bringing distroless nirvana to Alpine Linux

Earlier today, Chainguard released version 0.1 of our apko tool.  This tool allows for the composition of so-called “distroless” images from APK-based software distributions, such as Alpine Linux, using a declarative configuration.  Unlike the traditional distroless tooling, apko enables the creation of minimal, small-attack-surface images without the complications of…

Automatic SBOMs with ko

For those unfamiliar with ko, it “is a simple, fast container image builder for Go applications;” its objective is to enable developers to stop worrying about containers, and focus on their application.  The philosophy of ko aligns with our mission at Chainguard: to make the software supply chain secure by…

How to Make Package Signing Useful

The Case for Farm-to-Table Package SigningThe benefits and limitations of signing an open source package–using a private key to create a unique digital signature–are a surprisingly contentious topic. One of the maintainers associated with the Python Package Index maintainer has a cogent blog post called “Why Package Signing…

What an SBOM Can Do for You

By now, it is common knowledge that a Software Bill of Materials is becoming an increasingly expected requirement from software releases, yet here still seems that some confusion persists about what an SBOM can/could do for your project.…