https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/tags/conceptual/Recent content in Conceptual onHugo -- gohugo.ioen-USMon, 16 Mar 2026 00:00:00 +0000https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/about/shared-responsibility-model/Thu, 17 Oct 2024 11:07:52 +0200https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/about/shared-responsibility-model/Chainguard’s mission is to be the safe source for open source. As part of this mission, Chainguard builds all of our packages and images from upstream open source code and delivers the resulting artifacts to our customers. There are three distinct parties involved here: Upstream projects, Chainguard, and Customers; each of these parties share some measure of responsibility across a few dimensions. This guide is an overview of Chainguard’s Shared Responsibility Model: a framework that outlines the security responsibilities of upstream open source software projects, Chainguard, and its customers.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/staying-secure/cve-risk/Thu, 16 Nov 2023 11:07:52 +0200https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/staying-secure/cve-risk/Common vulnerabilities and exposures (CVEs) are an increasing concern for developers and organizations, which is why Chainguard developed its minimal container images that reduce the attack surface. A new CVE in a widely-used application or a vulnerability scan with numerous positive results can significantly impact security posture, compliance requirements, and development timelines. Chances are, your software has already been impacted by a CVE. It’s likely there are active CVEs in software you are using.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sbom/what-is-an-sbom/Thu, 04 Aug 2022 15:21:01 +0200https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sbom/what-is-an-sbom/Modern software applications contain hundreds to thousands of open source and third-party components, creating significant security challenges that SBOMs help address - which is why Chainguard includes comprehensive SBOMs with every container image. Without structured visibility into these components, organizations struggle to identify and respond to vulnerabilities, even when patches are available. This lack of transparency leaves systems vulnerable to exploitation, making SBOMs essential for maintaining secure software supply chains.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/compliance/slsa/what-is-slsa/Tue, 14 Feb 2023 08:49:15 +0000https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/compliance/slsa/what-is-slsa/SLSA (pronounced “salsa”), or Supply chain Levels for Software Artifacts, is a security framework consisting of standards and controls that prevent tampering, improve integrity, and secure packages and infrastructure. While cyberattacks like SolarWinds and Codecov have demonstrated the importance of protecting software from tampering and malicious compromise, the complexity of the software development lifecycle can leave many feeling unable to adequately understand or respond to these specific security issues. Released by Google’s Open Source Security Team in 2021, SLSA was created as a framework to help software creators understand where and how they can harden their supply chain security practices, and help software consumers evaluate the integrity of a software product or component before they decide to use it.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/software-security/what-are-containers/Tue, 17 Oct 2023 20:02:23 +0000https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/software-security/what-are-containers/Maximizing the performance of computer hardware has been a critical undertaking for software engineers for decades. First developed in the 1960s, virtual machines (VMs) were an early answer to this challenge, allowing a single computer to host multiple, isolated operating systems. VMs enable different guest users or processes to share physical infrastructure while keeping their concurrent operations separated. However, as VMs are both slow to initialize and resource-intensive, a modern solution arrived in the early 2000s: containers.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/software-security/selecting-a-base-image/Thu, 04 Aug 2022 15:21:01 +0200https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/software-security/selecting-a-base-image/Software teams building and deploying container-based software applications often use a “base image,” an initial set of software packages often associated with a Linux distribution. Software developers, security professionals, and infrastructure teams seeking to make an informed decision about what base image to use must consider a number of criteria when selecting a base image appropriate for their needs. Base images like those provided by Chainguard are designed to meet these security criteria while maintaining compatibility.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/software-security/what-is-software-supply-chain-security/Thu, 04 Aug 2022 15:21:01 +0200https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/software-security/what-is-software-supply-chain-security/An earlier version of this material was published in the first chapter of the Linux Foundation Sigstore course. Software producers have a supply chain just like manufacturing businesses have a supply chain. And just like manufacturers require physical inputs and then perform a manufacturing process to build a finished product, so do software producers, whether the producer is a company or individual. In other words, a software producer uses components, developed by third parties and themselves, and technologies to write, build, and distribute software.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sbom/what-makes-a-good-sbom/Thu, 04 Aug 2022 15:21:01 +0200https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sbom/what-makes-a-good-sbom/A software bill of materials, or an SBOM (pronounced s-bomb), is a formal record of the components contained in a piece of software. It is analogous to an ingredients list for a recipe. And it has become recognized as one of the key building blocks of software supply chain security. Proponents rightfully point out that organizations can’t secure their software if they don’t know what’s inside their software. As awareness and adoption of SBOM has grown, there has been a gradual acknowledgement that not all SBOMs are created equal, some are more or less useful, depending on the goals of the SBOM user and the contents of the SBOM.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/software-security/glossary/Mon, 01 Aug 2022 15:21:01 +0200https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/software-security/glossary/General terms Software supply chain Like in material good supply chains, a software supply chain is composed of activities that an organization undertakes to deliver an end product or service to a consumer. Software supply chain activities involve the transformation of dependencies, packages, components, binaries, build and packaging scripts, code and other software artifacts, and infrastructure into a finished software deliverable that is deployed into production. Participants in the supply chain include actors like developers, reviewers, testers, and maintainers who are working on the product at hand, but also includes those who maintain and contribute to packages and package managers, and other software that may be incorporated into a given product.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/administration/iam-organizations/verified-orgs/Tue, 15 Aug 2023 14:22:23 -0700https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/administration/iam-organizations/verified-orgs/Resources on the Chainguard platform are organized in a hierarchical structure called IAM Organizations. Single customers or organizations typically use a single root-level Organization to manage their Chainguard resources. Organizations can optionally be verified. Verification modifies some aspects of the Chainguard platform user experience to help large organizations guide their user base to the correct resources. Verifying your Organization Verification is currently a manual process. To verify your organization, please contact your customer support contact.