This repository provides resources intended for software engineers that work on vulnerability scanners, in order to help them correctly implement support for Chainguard Images and the Wolfi (un)distribution.
If you're unfamiliar with Chainguard Images, Wolfi, or the security data published by Chainguard, take a quick read through Foundational Concepts.
Next, to learn how to implement support for Chainguard Images and Wolfi in your vulnerability scanner, look at Scanning Implementation.
Finally, when you're ready to verify that your scanner produces the correct results for a given scan target, look at Verifying Scan Results.
Important: In order to officially support Chainguard Images and Wolfi, your scanner must meet the criteria defined in Verifying Scan Results.
The scanner-audit tool is a Go-based CLI utility that allows organizations responsible for specific scanner implementations to validate their scanner against Chainguard's provided test cases. This tool helps ensure your scanner correctly identifies vulnerabilities in Chainguard Images and packages according to the official support criteria, producing a detailed HTML report with test results.
For detailed usage instructions and implementation details, please see the scanner-audit/ directory.