The primary goal behind Wolfi, which was announced a year ago, is to create secure, hardened containers with zero known CVEs, according to the project maintainers in a post.
Since its release, the team of maintainers at Chainguard, along with community contributors, has been focused on aiding developers in addressing software supply chain security challenges. They achieved this by offering a foundational platform for building software securely from the outset.
“I use Wolfi mainly on Windows Subsystem for Linux, so my point of view is quite different from the typical use case, however the reason I do it is the same: security. Wolfi forces me to think differently, in a good and secure way, when it comes to package selection and ultimately, I can apply this knowledge when creating new containerized applications,” said Nuno do Carmo, technical writer at SUSE and Wolfi Community Member.
In the past year, Wolfi has made significant progress, boasting over 1,300 package configurations in its repository and an impressive 18,000+ packages in its index. With more than 4,400 merged PRs and contributions from 60 individuals, the project has garnered widespread support.
One standout achievement is Wolfi’s package update interval, measured in hours, ensuring users receive timely updates. It typically takes less than 24 hours for a new Wolfi package release after an upstream source code update, making it exceptionally fast.
The Wolfi community has also embraced scanning tools for vulnerability assessments, including Docker Scout, Grype, Snyk, Trivy, and Wiz, with Prisma Cloud on the horizon.
Wolfi’s technical innovations are tailored to address the demands of the rapidly evolving containerized and cloud-native workloads.
The project prioritizes update speed over stability, employing a rolling release cadence without traditional version numbers, according to the team. This ensures that users have access to vulnerability-free packages promptly.
Among the technical milestones achieved in the past year, Wolfi introduced “wolfi-act,” an open-source project enabling dynamic use of Wolfi packages within GitHub Actions. It also extended support to 64-bit ARM architecture, optimizing packages for leading cloud providers like AWS, GCP, and Azure. Additionally, the integration of the Rustls TLS library in partnership with the Internet Security Research Group (ISRG) enhances memory safety, addressing critical vulnerabilities in the software landscape. These advancements position Wolfi as a promising distro for cloud-native development and software supply chain security innovation.
“Since the birth of modern containers, few distros had a real impact and, Wolfi is definitely one of them. Since the creation, the idea was to have a container (un)distro instead of trimming down an existing distro. It might seem to reach the same end goal, however in practice this means Wolfi can really be a ‘security first’ distro as it doesn’t have to be debloated,” Carmo added.