Home
Unchained
Product Blog

Build a golden image program with Chainguard Images and JFrog Artifactory and Xray

Jordi Mon Companys, Senior Product Marketing Manager

Today, organizations face increasing pressure to secure their software supply chains due to the rising number of upstream open source software (OSS) attacks. Government regulations, such as the requirement for software bills of material (SBOMs), further emphasize the need for transparency and accountability in software development. Curated OSS catalogs have emerged as a strategic solution to address these challenges, aligning with platform engineering goals of providing secure "paved roads" or “golden paths” for software development.

Using a curated open source software catalog is one of the building blocks of a successful golden image program. That's why we at Chainguard are thrilled to announce our partnership with JFrog, the industry leading Software Supply Chain Platform to build a secure OSS image repository with confidence. Together, we are bringing a solution that combines the power of Chainguard's hardened, minimal container images with JFrog's cutting-edge scanning and management capabilities to kickstart anyone’s journey to successfully securing open source software consumption.

JFrog Artifactory and Xray: Unmatched visibility and control

For those of you unfamiliar with JFrog, the JFrog Platform is renowned for its ability to provide deep visibility and control over your software supply chain. With JFrog Artifactory, you gain a central repository for managing and storing all your software artifacts, ensuring a single source of truth for your development process. And with JFrog Xray’s advanced scanning technology, you can now continuously monitor your Chainguard Images for vulnerabilities.


Image showing details of Xray 3.97.3 featuring support for Chainguard Image scanning for SBOM and SCA.

Secure OSS catalog

By making Chainguard Images available in JFrog Artifactory, we have unlocked a new level of container security for those looking for a safe source for open source. Now, you can seamlessly integrate our hardened images into your existing JFrog workflows, leveraging the full power of Xray's scanning capabilities. This integration empowers your DevOps and Platform teams to provide developers with an OSS Catalog of hundreds of open source images with low-to-no CVEs.

With Chainguard Images in JFrog Artifactory, you can:

  1. Dramatically reduce the noise generated by unsecure container images in Xray’s reports, allowing you to focus on what truly matters. ‍

  2. Gain a clear understanding of your attack surface, risk profile, and overall security posture. ‍

  3. Confidently deploy applications knowing that your containers are built on a foundation of security. ‍

  4. Invest your time and resources in innovation and development, rather than constantly battling CVEs.

Start with hardened, minimal container images

Chainguard Images provide a solid foundation for your OSS catalog. These images are designed with security in mind, featuring minimal attack surfaces and daily updates.

Centralize image management with JFrog Artifactory

JFrog Artifactory serves as the central repository for your container images. Here's how to leverage it:

  • Store Chainguard Images in Artifactory

    as your approved base images. ‍

  • Use Artifactory's repository management features to organize images by project, team, or application. ‍

  • Implement version control for your images, allowing you to track changes and roll back if necessary. Leverage

    digestabot

    to depend only on immutable digest changes, instead of mutable tags.

Enhance security with JFrog Xray

JFrog Xray adds a crucial layer of security to your golden image program:

  • Continuously scan your stored Chainguard Images for vulnerabilities. ‍

  • Set up policies to automatically block the use of images with critical vulnerabilities. ‍

  • Generate detailed reports on the security status of your images.

Implement a curation process

Establish a process for curating and approving images:

  • Use Artifactory's permission management to control who can push or pull images. ‍

  • Leverage Xray's findings to make informed decisions about which images to approve.

Automate the golden image pipeline

Automation is key to maintaining an efficient golden image program:

  • Set up CI/CD pipelines that automatically pull the latest Chainguard Images, scan them with Xray, and push approved images to a "golden" repository in Artifactory. ‍

  • Use JFrog Pipelines or your preferred CI/CD tool to automate this process.

Enforce usage of golden images

Platform engineering’s main goal is to prevent developers from introducing unmaintained, vulnerable, noncompliant, and malicious code into the organization. For that:

  • Configure your build systems to only pull Chainguard Images from the golden image repository. ‍

  • Use Artifactory's virtual repositories to present a unified view of approved images. ‍

  • Implement policy checks in your CI/CD pipelines to verify that only approved images are used.

Remember, a successful golden image program is not just about tools — it's about establishing processes, fostering collaboration between security and development teams, and continuously evolving to meet new challenges. Having said that, it hasn’t been easier to start building a curated set of open source software that has low-to-no vulnerabilities than with this integration.

Chainguard Images: Redefining container security

OSS is "the backbone of digital innovation" according to Gartner’s latest Platform Enginering Hype Cycle. At Chainguard, our mission is to provide developers with the most secure and reliable open source software. Our hardened, minimal container images are meticulously crafted to minimize the attack surface and eliminate vulnerabilities. With Chainguard Images, you can say goodbye to the constant barrage of CVEs that plague traditional container images. Our images are designed to be nimble, performant, and most importantly, secure from the ground up.


Image of scanners that are compatible with Chainguard: Snyk, Grype, Prisma, Trivy, VulnCheck, Wiz, AWS, Crowdstrike, KSOC, Sysdig, Jfrog Xray.

By combining the security-focused Chainguard Images with the robust management capabilities of JFrog Artifactory and the deep security insights of JFrog Xray, you can build a the foundations of a successful golden image program that enhances your organization's security posture, streamlines development, and ensures consistency across your containerized applications. Learn how today!

Share

Ready to Lock Down Your Supply Chain?

Talk to our customer obsessed, community-driven team.

Get Started