I'm curious about how Chainguard can help with security when the source code itself gets compromised, as seen in the recent NPM attack where malicious packages were introduced. Since Chainguard builds images from source, what measures does it have in place to counter such threats?
1 Answer
Hey! I actually work at Chainguard, and we recently discussed this on our blog. The key feature we offer is a product specifically for building libraries from the source, which includes NPM and PyPI packages. If you were using our Libraries product, we would prevent the shipping of compromised versions since what we build wouldn't match the altered source. Though, just a heads up, we’re still improving our NPM support!
Thanks for the info! But what happens if the code in GitHub is compromised? Can Chainguard do anything in that situation?