Comment by progbits
6 months ago
They do keep some of them more up to date, for example the bitnami python image had system packages patched faster than the official one. But if you are willing to pay then chainguard is a better solution.
6 months ago
They do keep some of them more up to date, for example the bitnami python image had system packages patched faster than the official one. But if you are willing to pay then chainguard is a better solution.
ChainGuard is $$$$$$$
We talked to them a couple years ago. A lot of what they are doing besides Wolfi is using Alpine which removes alot of findings by default
Alpine helps but it's not perfect. Plenty of outdated packages with known CVEs there for long time.
Often they are not exploitable but it's easier to pay chainguard to have a constant zero on our vuln scanner than to deal with distroless builds ourselves.
The GPU images are indeed very expensive though.
I get it but the likelihood those vulns are exploitable in your environment is dubious. It’s a lot of compliance theater. Defense in depth
6 replies →
For what it's worth, their pricing has decreased substantially over the last year. Their most recent quote to us was about 25% of the one we received a year or so ago.
For some more transparency, we pay ~$9k/year per image (all versions/variants) for some basic images (think python, golang etc). The ones with cuda drivers are more expensive but I don't have the exact prices on hand.
Docker isn’t nearly the same $$$. Their catalog is growing.
Docker doesn’t have hardened / zero CVE containers
1 reply →