I've discovered Chainguard Libraries for Python, which offer secured libraries with full attestations and SBOMs. As a developer and security professional, I know how crucial it is to have reliable artifact repositories. They help alleviate the stress on security teams when dealing with vulnerabilities during sprints or audits. I've dealt with the hassle of checking dependencies from PyPI and navigating SBOMs after supply chain attacks to evaluate risks and determine necessary remediations. A common issue is developers pulling from global repositories and either forgetting to upgrade or facing complex updates due to tightly coupled packages. Chainguard solves some of these pains with their CVE-free Python images and an efficient patching process. Now, I'm on the hunt for less costly or open-source alternatives that could provide similar security assurances. Any recommendations for resources or alternatives?
2 Answers
You might want to consider using Echo or other vulnerability-free image providers. They can help simplify things and really tackle the issue head-on.
Check out VulnFree, but keep in mind that true open-source alternatives might be hard to come by since that's what makes Chainguard valuable—they offer hardened and maintained images.
But we're focusing on libraries, not images; let's not mix them up.