New generation of distroless, vulnerability-free container images?

Chainguard started offering distroless images that aim for zero-known vulnerabilities. Unbelievable!

The images come with SBOM and are signed with cosgin, of course.

❯ docker run --rm \
  -v trivy-cache:/root/.cache \
  -v /var/run/docker.sock:/var/run/docker.sock \
  aquasec/trivy:0.32.0 \
  image -q cgr.dev/chainguard/nginx

cgr.dev/chainguard/nginx (alpine 3.16)
======================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

https://www.chainguard.dev/unchained/introducing-wolfi-the-first-linux-un-distro