I recently found out about Chainguard's libraries for Python, and I'm really impressed with how they offer secured libraries complete with attestations, provenance, and supply chain management (SBOMs). As a developer and security expert, I know how vital these resources are for easing the workload on security teams, especially when it comes to managing vulnerabilities across libraries in our projects.
I've dealt with this pain point myself; right now, I rely on pulling dependencies from PyPI, but whenever a supply chain attack happens, it's a hassle to sift through entire SBOMs to find the affected packages and figure out the remediations. I need to ascertain the impact of these vulnerabilities—whether they pose a real threat or are just low-severity issues that can be fixed with minor updates. It can get pretty frustrating for everyone involved.
There's also a trend I've noticed where developers pull dependencies from public repositories like NPM and PyPI, but they either forget to upgrade them or face challenges due to tightly coupled packages that require extensive changes for updates, especially when they introduce breaking changes. Chainguard libraries help mitigate these issues by providing CVE-free packages with a streamlined patching process.
I'm looking for cost-effective or open-source alternatives to Chainguard Libraries for Python that would be useful for my team, particularly for our Python developers, and would allow us to benchmark our current software composition analysis (SCA) process. Does anyone have suggestions for open-source options that offer similar security features?
4 Answers
Have you checked out VulnFree? While it may be tough to find fully open-source alternatives, as those typically come with significant value adds, it might be worth investigating.
If an open-source project can replicate what Chainguard, Endor, or Wiz do with their secure patching, then wouldn’t they just patch the original OSS project and ensure no breaking changes? It’s a valid question to explore.
I think it's essential to have a significant entity driving this. Getting institutions, like universities, to mandate use of well-maintained libraries for government-related software development could really streamline things.
You could consider using Echo or similar providers that offer vulnerability-free images. They can really simplify the process and save you some headaches in the long run.
Just a heads-up, we’re talking about libraries, not images, in this context.