Wolfi Containers

"Wolfi Containers: Building Minimal, Secure Images for Modern Supply Chains"
Modern container security failures rarely start in production—they start upstream, in dependency graphs, build runners, registries, and the quiet assumptions baked into “base images.” This book is written for senior engineers, platform teams, and security-minded builders who want to move beyond Dockerfile folklore and toward a provable, minimal-by-design container supply chain. If you’re responsible for hardened runtimes, fast patch response, or audit-ready delivery, Wolfi’s “undistro” model gives you a sharper set of tools—and sharper trade-offs to manage.
You’ll learn how Wolfi OS reframes the OS as an explicit package contract, how APK repositories establish trust roots, and how retention, pinning, and reproducibility interact with patch velocity. The book goes deep on the Wolfi toolchain—melange for building signed APKs from source and apko for assembling deterministic OCI images—then shows how to engineer minimal runtime images that still work in the real world (certs, time, DNS, shared libraries) without dragging toolchains into production.
Finally, it operationalizes evidence: SBOM generation and diffing, provenance attestations, and end-to-end signing and verification, tied to CI/CD policy gates and admission controls. Expect rigorous decision criteria, failure modes and anti-patterns, and a blueprint for “build → scan → sign → attest → deploy” that holds up under real compliance and incident pressure.