[KyleSanderson]

so...

FROM:scratch ?

Might be worthwhile restating the companies business model in announcements like this, especially for people unfamiliar with the area. This sounded like some wireguard thing from the name, only to discover it's just an org delivering statically linked binaries in a scratch docker image to defeat scanners...

[amouat]

Sort of.

A few things though:

- we don't use scratch. Our base image is chainguard/static which includes certs and a few other things typically needed by apps.

- we have our own Linux distribution called Wolfi

- we don't "defeat scanners". We work with scanners and publish security advisories. They recognise Wolfi. You can definitely find some images of ours that have CVEs (especially if you have an old image lying around).

[dlor]

There's no defeating of scanners or even static linking. It's all automation, dynamic linking and patching to make the scanners happy. We go to great lengths to make sure that the scanners actually find everything so the results are accurate.