At Chainguard, our mission is to be the safe source for open source. We believe that every organization should easily be able to leverage secure open source software. That's why we're excited to announce that Chainguard is now publishing its security advisory feed in the Open Source Vulnerabilities (OSV) format.
OSV, an open standard launched by Google in 2021, and now a part of the OpenSSF, aims to simplify the vulnerability reporting process for open source maintainers and improve the accuracy of vulnerability queries for downstream consumers. By providing precise metadata in an easy-to-query format, OSV streamlines the process of identifying and addressing security issues in open source software.
What is OSV and why is it important for Chainguard?
OSV was launched to revolutionize vulnerability triage for developers and users of open source software. It serves OSS maintainers as much as it helps downstream consumers of open source software.
OSV enhances the accuracy of vulnerability queries through its easy-to-query database. This database contains precise metadata, enabling Chainguard Images users to obtain detailed information about vulnerabilities, including their severity, impact, and affected versions. This level of granularity helps consumers of open source software make informed decisions about the security of their applications and prioritize remediation efforts accordingly.
OSV empowers developers and users with precise vulnerability data so they can make informed decisions about the security of their applications and prioritize remediation efforts. This contributes to a more secure consumption of open source software via Chainguard Images, benefiting both developers and end users alike.
For Chainguard Co-founder and Chief Product Officer, Kim Lewandowski, who authored and helped launch that project at Google in 2021, it has come full circle now that the company she co-founded adopts it.
Adopting the OSV format aligns perfectly with Chainguard's vision of creating a more secure software ecosystem. We believe that vulnerability management should be an integral part of the open source development process, supported by automated infrastructure. By publishing our security feeds in the OSV format, we're taking a significant step towards making this vision a reality.
Currently, Chainguard publishes its security feeds in the Alpine-style “secdb” format:
- Wolfi feed: https://packages.wolfi.dev/os/security.json
- Chainguard feed: https://packages.cgr.dev/chainguard/security.json
This is where we are publishing our OSV-compliant security feed for both Wolfi and Chainguard:
- Chainguard OSV feed: https://packages.cgr.dev/chainguard/osv/all.json
Why OSV? To make scanners results better for our customers.
Publishing Chainguard’s security advisories in the OSV schema offers several benefits for container image scanners. At Chainguard, we are committed to making scanners work better and provide more actionable reports to our clients.
The OSV schema provides a standardized and machine-readable format for vulnerability information so that scanners can consistently consume and process data from various sources. This way, Chainguard’s new OSV-formatted security advisory feed improves accuracy by including detailed metadata and reducing false positives.
With this new OSV security advisory, scanners can quickly detect vulnerabilities, integrate with vulnerability databases, and automate vulnerability tracking. Overall, it will contribute to better interoperability, accuracy, speed, and automation of container image scanning processes, and improve the security practices in containerized environments in our customers’ CI process — that is our ultimate goal.
The above picture represents the scanners that Chainguard works with at the time of publishing this blog post. Check the Scanners page to know how many are able to scan them now. By adopting the OSV format, we are inching closer to making our images scannable by Google Cloud’s Artifact Analysis and Docker Scout, which should be the next to be added to the list above. Stay tuned!
At Chainguard, we remain committed to providing the tools, best practices, and expertise needed to secure the software supply chain. Adopting the OSV format for our security advisory feeds is just one more way we're working to make software security accessible to everyone. To learn more about how Chainguard Images can serve your organization, reach out today.
