Since we launched Chainguard Academy last fall, the team has been hard at work growing our library of resources to support software engineers in making security a default practice in their development process. We now have over 300 tutorials, docs and reference materials for open source projects and products like Chainguard Enforce and Chainguard Images.
Here is a wrap up of some recently published guides and resources in Chainguard Academy to help you level up your software supply chain and open source security knowledge!
Chainguard Images and Wolfi
Chainguard Images now have more easily scannable reference pages so you can quickly review variants and dependencies for each of our Images. As an example, check out the Go Image Variant page.
Use these resources to get up and running with Chainguard Images faster.
We also have a growing number of Getting Started guides with Chainguard Images:
If you have a request for a particular Image, feel free to file an issue on our GitHub repo.
We also published a new guide for Creating Wolfi Images with Dockerfiles if you’d like to learn more about Wolfi, the community Linux undistro designed for greater cloud native security.
OpenVEX and SBOMs
Since the release of the OpenVEX specification and reference toolchain, you may be wondering how VEX — championed by the US National Telecommunications and Information Administration (NTIA) — can fit within your security approach. We’ve got a number of resources for you so you can learn more about this exciting open work.
If SBOMs are new for you, we have two resources to help get you up to speed before venturing into the world of OpenVEX. Learn what software bills of materials are by reading What is an SBOM? and review how you can determine the quality of an SBOM by reading John Speed Meyer’s article What Makes a Good SBOM?
policy-controller
Sigstore’s policy-controller offers a way of requiring specific signatures and attestations for incoming images in your Kubernetes environments, enabling you to make security an integral and almost invisible part of your orchestration. The first step is signing, the next step is to validate these signatures, and the last crucial step is to enforce what you choose to permit or disallow. We recently posted a Sigstore policy-controller 101 blog post to introduce you to the tool.
Once you are ready to dig in more, we have a growing number of tutorials and different policies you can use to make sure you have greater control over what is admitted into your Kubernetes clusters. All of these tutorials have our interactive terminal sandbox environment so that you don’t need to try it out on your own clusters right away.
Sigstore's policy-controller allows you to apply policies to incoming images, but it will not flag any existing images that don't meet the policy requirements. If you want to make sure all of your existing images are in compliance with your policies, you can use Chainguard Enforce to enable continuous verification. Any policy you use with Sigstore's policy-controller will also work with Chainguard Enforce. You can read more about managing policies and how Enforce implements continuous verification by reviewing our Chainguard Enforce documentation.
Start Learning and Securing!
The highlights above are just the beginning of what is currently available on Chainguard Academy. Learn all about Sigstore, apko, open containers, Chainguard Enforce and more. Many of our open source tutorials include an interactive terminal so you can try out the tooling before setting them up on your machine.
Since Chainguard Academy is open source, we invite you to check out our repo and file an issue if there is something you would like to know more about!
