A quick overview of the SecureBuild partnership program and what it means for your project.An energetic showcase of why SecureBuild is awesome and how it's changing the open source security game.
A quick overview of the SecureBuild partnership program and what it means for your project.
An energetic showcase of why SecureBuild is awesome and how it's changing the open source security game.
Exploring sustainable monetization strategies for open source projects through security partnerships.
How maintainers can ethically profit from their open source work while keeping their projects free.
Take a behind-the-scenes tour of how SecureBuild creates enterprise-grade secure builds at scale.
A beginner-friendly introduction to CVEs (Common Vulnerabilities and Exposures) and why they matter.
Read the original article
Comments
The intersection of entities whose security is based around "responding to every CVE quickly" and the entities that care about supporting OSS projects has measure zero.
By grantlmiller 2025-06-2018:52 well... our core users are ISVs (who distribute commercial software into enterprise controlled, self-hosted environments... think big banks, governments, tech companies). They care about supporting OSS (almost 1/2 of them are open core themselves) and their customers mandate that they care about closing out CVEs quickly in the software they're consuming from them.
What's the process to add new images?
I assume this is limited to CVEs in the underlying layers, and adding in the latest of the primary package. Given that how/are you testing the images after you fix the CVEs?
By marcc 2025-06-2123:09 Adding images involves us creating a new package (APK) in our APK repo. This is done by creating a melange build config (https://github.com/chainguard-dev/melange). The melange config defines some basic tests. It's not comprehensive, but generally validates that the binary produced is functional.
When we build the OCI image, we validate it via some custom tests that we've written. We have identified the canonical image (i.e. DockerHub, GHCR, etc), and we confirm that our image has the same entrypoint, args, env that the canonical image has. Then we have some generated scenarios we run the OCI image through to make sure it functions the same as the canonical image runs.
For example, we have Postgres in the catalog today. When we rebuild, we have some tests that run with various configurations of PG_DATABASE/PG_PASSWORD, etc env vars. We run these with our image and with index.docker.io/library/postgres, and expect to see the same output with both.
