top | item 44328405

Show HN: SecureBuild – Zero-CVE Images That Pay OSS Projects

40 points| grantlmiller | 8 months ago |securebuild.com

We're launching SecureBuild: https://securebuild.com — a new way for open source projects and maintainers to earn revenue by partnering with and endorsing our Zero-CVE container images of their project.

We’ve spent the last decade at Replicated (https://news.ycombinator.com/item?id=9841243) helping commercial and open source software vendors securely distribute their apps to enterprise environments. During that time, we saw firsthand how hard it is for maintainers to fund their work, and how increasingly demanding enterprises have become when it comes to demonstrable security and scanning.

SecureBuild is our attempt to bridge that gap. Built on top of Wolfi (https://news.ycombinator.com/item?id=36489847), we provide Zero-CVE container images with tight SLAs, full SBOMs, etc, but we route 70% of direct subscription revenue back to the open source projects that create them.

We’re especially interested in partnering with open source maintainers who want to make their projects more secure and sustainable without changing licenses. We handle builds, hosting, sales, patching, and customer delivery.

I'm Grant (https://news.ycombinator.com/user?id=grantmiller), co-founder of Replicated & co-creator of SecureBuild, working with my co-founder Marc Campbell (https://news.ycombinator.com/user?id=marcc). We hope this can be part of a broader push toward a more secure, economically sustainable future for open source.

Happy to answer questions and share more details!

17 comments

jenny91|8 months ago

The intersection of entities whose security is based around "responding to every CVE quickly" and the entities that care about supporting OSS projects has measure zero.

grantlmiller|8 months ago

well... our core users are ISVs (who distribute commercial software into enterprise controlled, self-hosted environments... think big banks, governments, tech companies). They care about supporting OSS (almost 1/2 of them are open core themselves) and their customers mandate that they care about closing out CVEs quickly in the software they're consuming from them.

unknown|8 months ago

[deleted]

westwater|8 months ago

What's the process to add new images?

I assume this is limited to CVEs in the underlying layers, and adding in the latest of the primary package. Given that how/are you testing the images after you fix the CVEs?

marcc|8 months ago

Adding images involves us creating a new package (APK) in our APK repo. This is done by creating a melange build config (https://github.com/chainguard-dev/melange). The melange config defines some basic tests. It's not comprehensive, but generally validates that the binary produced is functional.

When we build the OCI image, we validate it via some custom tests that we've written. We have identified the canonical image (i.e. DockerHub, GHCR, etc), and we confirm that our image has the same entrypoint, args, env that the canonical image has. Then we have some generated scenarios we run the OCI image through to make sure it functions the same as the canonical image runs.

For example, we have Postgres in the catalog today. When we rebuild, we have some tests that run with various configurations of PG_DATABASE/PG_PASSWORD, etc env vars. We run these with our image and with index.docker.io/library/postgres, and expect to see the same output with both.

cube00|8 months ago

> New SecureBuilds are created whenever upstream CVEs are available, with a 6-day SLA for critical vulnerabilities.

Aren't most SecOps pushing 48 hours as the absolute limit for critical vulns or are ours just being extra pushy?

marcc|8 months ago

We often deliver in way less than 6 days but sometimes the dependency tree is deep for a patch.

I've seen most auditors mandate 30 days for Critical, but you clearly want to move a lot quicker than that.

siggy|8 months ago

thanks for sharing. what's the onboarding process look like? if i'm maintaining my own Dockerfiles today, do you or I evaluate and port those to SecureBuild/Wolfi?

marcc|8 months ago

We work together on it. Assuming you have a build process and dockerfile (we all do), generally our team can get you listed in the catalog quickly.

It's not too much work since we built on an existing set of tools (melange & apko). I've actually found that putting a Dockerfile into ChatGPT generates a really good first iteration.

sheepybloke|8 months ago

How does this compare with something like IronBank? Looks like that could be a great partnership!

dhorthy|8 months ago

this looks cool - your homepage video should open with what it is though!

grantlmiller|8 months ago

thanks! say more about what you mean... you're saying instead of: Secure, Sustainable Open Source Partner with SecureBuild to offer secure, vulnerability-free builds of your open source project while generating recurring software revenue, no support contracts required.

we should say something different?