From b711dd23085f3c7221d0837fd3067fd33766023b Mon Sep 17 00:00:00 2001 From: Mark Drake Date: Mon, 6 Apr 2026 16:50:11 -0700 Subject: [PATCH 1/4] Add changelog section scaffold for Chainguard Containers Adds a new public changelog section at /chainguard/chainguard-images/changelog/, including a changelog-label shortcode for styled entry-type badges, supporting SCSS, and sample/placeholder entries. Also includes a writeup documenting the structure and the proposed API integration approach. Co-Authored-By: Claude Sonnet 4.6 --- assets/scss/app.scss | 1 + assets/scss/components/_changelog.scss | 41 ++++++ changelog-1pager.md | 86 ++++++++++++ changelog-writeup.md | 129 ++++++++++++++++++ .../chainguard-images/changelog/2026.md | 65 +++++++++ .../chainguard-images/changelog/_index.md | 19 +++ layouts/shortcodes/changelog-label.html | 3 + 7 files changed, 344 insertions(+) create mode 100644 assets/scss/components/_changelog.scss create mode 100644 changelog-1pager.md create mode 100644 changelog-writeup.md create mode 100644 content/chainguard/chainguard-images/changelog/2026.md create mode 100644 content/chainguard/chainguard-images/changelog/_index.md create mode 100644 layouts/shortcodes/changelog-label.html diff --git a/assets/scss/app.scss b/assets/scss/app.scss index 164a54b515..5532be1108 100644 --- a/assets/scss/app.scss +++ b/assets/scss/app.scss @@ -48,6 +48,7 @@ @import "components/footer-www-match"; @import "components/footer-border-fix"; @import "components/header-logo"; +@import "components/changelog"; /** Import DocSearch */ @import "@docsearch/css/dist/style.scss"; \ No newline at end of file diff --git a/assets/scss/components/_changelog.scss b/assets/scss/components/_changelog.scss new file mode 100644 index 0000000000..03e26c5281 --- /dev/null +++ b/assets/scss/components/_changelog.scss @@ -0,0 +1,41 @@ +.changelog-label { + display: inline-block; + font-size: 0.7rem; + font-weight: 700; + letter-spacing: 0.06em; + text-transform: uppercase; + padding: 0.2em 0.65em; + border-radius: 4px; + margin-top: 1.5rem; + margin-bottom: 0; + color: #fff; + + &--breaking-change { + background-color: #c0392b; + } + + &--security-advisory { + background-color: #c0392b; + } + + &--deprecation { + background-color: #e67e22; + } + + &--new-feature { + background-color: var(--primary-1); + } + + &--enhancement { + background-color: var(--primary-2); + color: var(--primary-3); + } + + &--bug-fix { + background-color: #27ae60; + } + + & + h4 { + margin-top: 0.25rem; + } +} diff --git a/changelog-1pager.md b/changelog-1pager.md new file mode 100644 index 0000000000..4d9a77b6ab --- /dev/null +++ b/changelog-1pager.md @@ -0,0 +1,86 @@ +# **Changelog notifications proposal 1 pager** + +**Your Name** [Dana Kleinerman](mailto:dana.kleinerman@chainguard.dev) +Proposed Mar 23, 2026***\- DRAFT*** +**Approvers:** \ \[ \], \ \[ \] +**Reviewers:**\, \ + +## Objective/Goals + +Provide customers an easy way to stay up-to-date with changes and audit user access to ensure they are using the latest and securest images available. This would include both notifications about changes as well as the ability to query access data. + +More specifically, + +1. Changelist of anything new or updated within Chainguard, as well as actionable next steps + 1. Notifications in console + 2. Access to a changelog updates in UI and API (to connect to their own systems) +2. Ability to audit specific activity within an org (which users in an org are using which features/images to better track usage patterns and also more easily determine who needs to switch to pulling more up-to-date images. Also useful for staying up-to-date with changes in activity and changes in roles ) + +Note that for this 1 pager, we’ll only focus on \#1 (Chainguard updates) and change usage/access auditing notifications for a later project. + +## Problems To Solve + +Today customers have difficulty discovering Chainguard updates that they need to be aware of (breaking changes, incidents, newly available images or image versions, changes in SBOMs, etc). + +This can lead to poor outcomes where they are using out of date, vulnerable images, or missing privileged role escalations that might be indicative of bad actors. It can also lead to a diminished user experience that could lead to lower engagement, such as missing out on new features that become available. + +## User Scenarios + +This is primarily useful for platform admin/engineers who need changelog information and auditing tooling to help them stay informed and ensure their org is up-to-date. + +From the March CAB, customers expressed interest in changelog notifications and audit history: + +* API status call for new images. Could be integrated with internal MCP servers that are connected to open API docs and have some level of internal context +* Notifications that address “staleness problem” could be really helpful + +## Requirements & Solution + +**MVP requirements for Chainguard changelog notifications** +Types of changes to include: + +* High priority (no opting out; all admins have this turned on by default) + * Breaking changes + * Incidents + * KEVs + * CVEs + * Any other critical security issues that require immediate action +* Medium priority (on by default, but admins can opt out) + * Updates to any image requests the user makes via the image priority request dashboard + * Deprecations + * EOL notifications + * Any changes to roles that are not breaking changes (e.g. adding permissions to existing roles. Would count removing permissions as a breaking change) +* Low priority (on by default but easy to opt out. If we see most people opting out due to noise, we can change this to be opt in) + * New images that are available (outside of the ones the user requested) + * Version updates to existing images + * Changes in SBOMs + * New features + +Surfaces: + +* Console: + * New notifications center to show recent notifications (stored for no longer than a month to reduce noise) + * If users wish to track older notifications, they’ll either need to store them themselves using our API or refer to documentation, which should cover the majority of them + * New settings to modify what notifications the user receives + * Ability to subscribe to notifications with their email address +* API/Feed: + * Provide a way to view notifications without going to console or setting up email. Could use an MCP server here. + * (Stretch?) Could we help users automate updates? So that human users don’t need to watch out for every change notification, and allow them to just focus on the critical ones. +* Public Documentation + * All breaking changes, updates, new features, deprecations should be included in a version history documentation page that is publicly available. + * Take inspiration from [AWS whats new](https://aws.amazon.com/new/) or [Linear](https://linear.app/changelog). + +## Timeline & Gameplan + +| Feature | Surface | Timeline | +| :---- | :---- | :---- | +| Public version history docs page | https://edu.chainguard.dev/chainguard/chainguard-images/ | ASAP but can run in parallel with other work | +| Support for Critical notifications | UI and email | Ideally End of Q1 | +| Support for Critical notifications | API/Feed | Q2 | +| Support for medium priority notifications | All surfaces | | +| Support for low priority notifications | All surfaces | | + +## Metrics + +* Engagement funnel: Notifications seen \> notifications acted upon \> notifications dismissed/ignored +* % interaction via UI versus API + diff --git a/changelog-writeup.md b/changelog-writeup.md new file mode 100644 index 0000000000..f173e80148 --- /dev/null +++ b/changelog-writeup.md @@ -0,0 +1,129 @@ +# Chainguard Academy Changelog — Build Summary + +## What was built + +A new changelog section at `content/chainguard/chainguard-images/changelog/` with the following structure: + +``` +changelog/ + _index.md — section landing page with links to year pages + 2026.md — all 2026 entries +``` + +Each year lives in a single file (e.g., `2026.md`). Entries within a year are ordered newest-first, grouped under date headings. + +Two supporting files were also added: + +- **`layouts/shortcodes/changelog-label.html`** — a shortcode that renders a colored badge for the entry type (e.g., Breaking Change, New Feature, Security Advisory) +- **`assets/scss/components/_changelog.scss`** — styles for the badges and their spacing relative to entry headings; imported via `app.scss` + +--- + +## Entry format + +Each entry in a year file follows this pattern: + +```markdown +## Month Day Year + +{{}} + +#### Entry title summarizing the change + +One or two sentences describing what changed and, if applicable, what the reader needs to do. +``` + +Supported label types and their colors: + +| Label | Color | +|---|---| +| `Breaking Change` | Red | +| `Security Advisory` | Red | +| `Deprecation` | Orange | +| `New Feature` | Brand purple | +| `Enhancement` | Brand aqua | +| `Bug Fix` | Green | + +--- + +## Adding real entries + +1. **New entry in an existing year** — open the relevant year file (e.g., `2026.md`) and add the entry at the top, under a new or existing date heading. Update the `lastmod` field in the frontmatter to today's date. + +2. **New year** — copy `2026.md`, rename it (e.g., `2027.md`), clear the entries, update the frontmatter dates, and add a link to it in `_index.md`. + +3. **New label type** — add a CSS rule to `_changelog.scss` following the existing pattern; the shortcode will handle the class name automatically by lowercasing and hyphenating whatever string you pass in. + +--- + +## Connecting to an API + +There are two main approaches, and the right choice depends on how fresh the data needs to be: + +### Option 1: Build-time fetch (Hugo `resources.GetRemote`) + +Hugo can call a remote API at build time and render the response into static pages. You'd replace the hand-authored markdown entries with a Hugo template that fetches JSON from the API and loops over the results, outputting the same label/heading/description structure. + +**Pros:** No JavaScript required, pages stay fully static, works with existing layout. +**Cons:** Data is only as fresh as the last site build. Requires a rebuild (and redeploy) to pick up new changelog entries. + +This is the right fit if the changelog is updated infrequently (e.g., a few times a week) and your CI/CD already triggers builds on a schedule or webhook. + +### Option 2: Client-side fetch + +A small JavaScript snippet on the changelog page fetches from the API at page load and renders entries into the DOM. The markdown file would just be a shell with a placeholder element. + +**Pros:** Always up to date without a rebuild. +**Cons:** Requires JS, adds a loading state, and the Hugo shortcode/label system wouldn't apply — you'd need to replicate the badge styling in JS-rendered HTML. + +### Recommendation + +Given that this is a Hugo static site and the changelog doesn't need to be real-time, **Option 1 is the cleaner fit**. The year files (`2026.md`) would become templates rather than authored content, and the `changelog-label` shortcode logic would move into the template loop. + +When the API is ready, the migration path would be: +1. Agree on the JSON schema the API returns +2. Write a Hugo partial that maps API fields (change type, date, title, description) to the existing visual structure +3. Replace the authored year files with template-driven ones that call `resources.GetRemote` + +--- + +## Proposed API JSON schema + +Based on the entry structure used in the static changelog, here is a proposed schema for the API response: + +```json +{ + "entries": [ + { + "id": "2026-04-01-openssl-cve-xxxxx", + "date": "2026-04-01", + "change_type": "security-advisory", + "title": "OpenSSL CVE-2026-XXXXX patched in all images", + "description": "All Chainguard Container images containing OpenSSL have been updated to address CVE-2026-XXXXX, a high-severity vulnerability affecting TLS handshake processing. Pull the latest version of any affected image; if you are pinned to a digest, update your digest reference.", + "affects": "All images containing OpenSSL", + "action_required": true, + "links": [ + { + "label": "Learn more", + "url": "https://edu.chainguard.dev/chainguard/chainguard-images/changelog/2026/#openssl-cve-2026-xxxxx-patched-in-all-images" + } + ] + } + ] +} +``` + +### Field reference + +| Field | Type | Description | +|---|---|---| +| `id` | string | Unique identifier; used to generate anchor links | +| `date` | string (ISO 8601) | Date of the change | +| `change_type` | string (enum) | One of: `breaking-change`, `security-advisory`, `deprecation`, `new-feature`, `enhancement`, `bug-fix` | +| `title` | string | Short entry title (used as the heading) | +| `description` | string | One or two sentences describing the change and any required action | +| `affects` | string | Optional. What products, images, or users are affected | +| `action_required` | boolean | Whether the reader needs to take action | +| `links` | array | Optional. Related links (docs pages, CVE records, etc.) | + +The `change_type` values are intentionally aligned with the CSS class slugs already used by the `changelog-label` shortcode, so no mapping layer is needed when rendering. diff --git a/content/chainguard/chainguard-images/changelog/2026.md b/content/chainguard/chainguard-images/changelog/2026.md new file mode 100644 index 0000000000..1e888016e8 --- /dev/null +++ b/content/chainguard/chainguard-images/changelog/2026.md @@ -0,0 +1,65 @@ +--- +title: "2026 Changelog" +linktitle: "2026" +description: "Notable changes to Chainguard Containers in 2026, including breaking changes, new features, security advisories, deprecations, and EOL notices." +type: "article" +date: 2026-01-01T00:00:00Z +lastmod: 2026-04-01T00:00:00Z +draft: false +images: [] +tags: ["Changelog", "Chainguard Containers"] +toc: true +weight: 001 +--- + +## April 1 2026 + +{{< changelog-label "Security Advisory" >}} + +#### OpenSSL CVE-2026-XXXXX patched in all images + +All Chainguard Container images containing OpenSSL have been updated to address CVE-2026-XXXXX, a high-severity vulnerability affecting TLS handshake processing. Pull the latest version of any affected image; if you are pinned to a digest, update your digest reference. + +{{< changelog-label "Bug Fix" >}} + +#### Fixed incorrect SBOM component listing for multi-arch images + +Multi-arch images were occasionally generating SBOMs that omitted components present only in non-amd64 layers. This has been corrected; re-pull affected images to receive an updated SBOM. + +--- + +## March 15 2026 + +{{< changelog-label "Breaking Change" >}} + +#### Default container user changed to non-root across all images + +All Chainguard Container images now run as a non-root user by default, aligning with Chainguard's security-hardening standards. Review your workloads for root requirements and set `securityContext.runAsUser: 0` (Kubernetes) or `--user root` (Docker) where needed. + +{{< changelog-label "Deprecation" >}} + +#### Legacy image tag format `YYYYMMDD` deprecated + +The date-stamped tag format (e.g., `image:20250315`) is deprecated and will be removed in Q3 2026. Migrate to the supported `:latest` or digest-pinned references before then. + +{{< changelog-label "Enhancement" >}} + +#### Provenance attestations now included by default for all images + +All images now ship with signed provenance attestations conforming to SLSA Build Level 2. No action is required; attestations are automatically available via the Chainguard API and `cosign verify-attestation`. + +--- + +## March 1 2026 + +{{< changelog-label "New Feature" >}} + +#### Expanded AI/ML image catalog now available + +Hardened images for PyTorch, TensorFlow, JAX, and common AI/ML tooling are now available in the standard Chainguard catalog, all built with zero known CVEs and including SBOMs. See the [AI/ML image catalog](/chainguard/chainguard-images/) for the full list. + +{{< changelog-label "New Feature" >}} + +#### Chainguard Images now available in AWS Marketplace + +Chainguard Container images can now be pulled directly through AWS Marketplace, simplifying procurement and enabling consolidated billing. See the [AWS Marketplace listing](#) for setup instructions. diff --git a/content/chainguard/chainguard-images/changelog/_index.md b/content/chainguard/chainguard-images/changelog/_index.md new file mode 100644 index 0000000000..3014030ba1 --- /dev/null +++ b/content/chainguard/chainguard-images/changelog/_index.md @@ -0,0 +1,19 @@ +--- +title: "Chainguard Containers Changelog" +linktitle: "Changelog" +description: "A record of notable changes to Chainguard Containers, including breaking changes, new features, security advisories, deprecations, and EOL notices" +type: "article" +date: 2026-04-06T00:00:00Z +lastmod: 2026-04-06T00:00:00Z +draft: false +images: [] +weight: 095 +--- + +This changelog covers notable changes to Chainguard Containers, including breaking changes, new features, security advisories, deprecations, and end-of-life notices. + +Individual image version updates are not listed here. For image-level update history, use the [Chainguard Console](https://console.chainguard.dev) or the Chainguard API. + +Entries are organized by year: + +- [2026](2026/) diff --git a/layouts/shortcodes/changelog-label.html b/layouts/shortcodes/changelog-label.html new file mode 100644 index 0000000000..a9e7a58100 --- /dev/null +++ b/layouts/shortcodes/changelog-label.html @@ -0,0 +1,3 @@ +{{- $label := .Get 0 -}} +{{- $slug := $label | lower | replaceRE `\s+` "-" -}} +{{ $label }} From 7e1c6c3e58d6d12eeb5888af5875f5b93100567c Mon Sep 17 00:00:00 2001 From: Mark Drake Date: Tue, 7 Apr 2026 11:30:50 -0700 Subject: [PATCH 2/4] css fix Signed-off-by: Mark Drake --- config/postcss.config.js | 1 + 1 file changed, 1 insertion(+) diff --git a/config/postcss.config.js b/config/postcss.config.js index f65e959afe..7f42b5d670 100644 --- a/config/postcss.config.js +++ b/config/postcss.config.js @@ -37,6 +37,7 @@ module.exports = { './node_modules/katex/dist/katex.css', './assets/scss/*.scss', './assets/scss/common/*.scss', + './assets/scss/components/*.scss', './node_modules/@docsearch/css/dist/modal.css', ]), ], From 1dfac5907766c788be2a7a1f47ee3acccb6681fa Mon Sep 17 00:00:00 2001 From: Mark Drake Date: Tue, 7 Apr 2026 11:34:52 -0700 Subject: [PATCH 3/4] css fix 2 Signed-off-by: Mark Drake --- config/postcss.config.js | 1 + 1 file changed, 1 insertion(+) diff --git a/config/postcss.config.js b/config/postcss.config.js index 7f42b5d670..012c0b096e 100644 --- a/config/postcss.config.js +++ b/config/postcss.config.js @@ -15,6 +15,7 @@ module.exports = { './content/**/*.md', ], safelist: [ + /^changelog-label/, 'lazyloaded', 'table', 'thead', From 4ae657b355e321813f1b9a684c25cef41e5c5482 Mon Sep 17 00:00:00 2001 From: Mark Drake Date: Tue, 7 Apr 2026 13:00:53 -0700 Subject: [PATCH 4/4] label updates Signed-off-by: Mark Drake --- assets/scss/components/_changelog.scss | 18 +++------- changelog-writeup.md | 8 ++--- .../chainguard-images/changelog/2026.md | 34 ++++++------------- 3 files changed, 19 insertions(+), 41 deletions(-) diff --git a/assets/scss/components/_changelog.scss b/assets/scss/components/_changelog.scss index 03e26c5281..0ce482d225 100644 --- a/assets/scss/components/_changelog.scss +++ b/assets/scss/components/_changelog.scss @@ -14,25 +14,17 @@ background-color: #c0392b; } - &--security-advisory { - background-color: #c0392b; - } - - &--deprecation { - background-color: #e67e22; + &--update { + background-color: var(--primary-2); + color: var(--primary-3); } &--new-feature { background-color: var(--primary-1); } - &--enhancement { - background-color: var(--primary-2); - color: var(--primary-3); - } - - &--bug-fix { - background-color: #27ae60; + &--deprecation { + background-color: #e67e22; } & + h4 { diff --git a/changelog-writeup.md b/changelog-writeup.md index f173e80148..15f34c1722 100644 --- a/changelog-writeup.md +++ b/changelog-writeup.md @@ -38,11 +38,9 @@ Supported label types and their colors: | Label | Color | |---|---| | `Breaking Change` | Red | -| `Security Advisory` | Red | -| `Deprecation` | Orange | +| `Update` | Brand aqua | | `New Feature` | Brand purple | -| `Enhancement` | Brand aqua | -| `Bug Fix` | Green | +| `Deprecation` | Orange | --- @@ -119,7 +117,7 @@ Based on the entry structure used in the static changelog, here is a proposed sc |---|---|---| | `id` | string | Unique identifier; used to generate anchor links | | `date` | string (ISO 8601) | Date of the change | -| `change_type` | string (enum) | One of: `breaking-change`, `security-advisory`, `deprecation`, `new-feature`, `enhancement`, `bug-fix` | +| `change_type` | string (enum) | One of: `breaking-change`, `update`, `new-feature`, `deprecation` | | `title` | string | Short entry title (used as the heading) | | `description` | string | One or two sentences describing the change and any required action | | `affects` | string | Optional. What products, images, or users are affected | diff --git a/content/chainguard/chainguard-images/changelog/2026.md b/content/chainguard/chainguard-images/changelog/2026.md index 1e888016e8..b531cc0a83 100644 --- a/content/chainguard/chainguard-images/changelog/2026.md +++ b/content/chainguard/chainguard-images/changelog/2026.md @@ -1,7 +1,7 @@ --- title: "2026 Changelog" linktitle: "2026" -description: "Notable changes to Chainguard Containers in 2026, including breaking changes, new features, security advisories, deprecations, and EOL notices." +description: "Notable changes to Chainguard Containers in 2026, including breaking changes, new features, updates, and deprecations." type: "article" date: 2026-01-01T00:00:00Z lastmod: 2026-04-01T00:00:00Z @@ -14,35 +14,23 @@ weight: 001 ## April 1 2026 -{{< changelog-label "Security Advisory" >}} - -#### OpenSSL CVE-2026-XXXXX patched in all images - -All Chainguard Container images containing OpenSSL have been updated to address CVE-2026-XXXXX, a high-severity vulnerability affecting TLS handshake processing. Pull the latest version of any affected image; if you are pinned to a digest, update your digest reference. - -{{< changelog-label "Bug Fix" >}} +{{< changelog-label "Breaking Change" >}} -#### Fixed incorrect SBOM component listing for multi-arch images +#### Default container user changed to non-root across all images -Multi-arch images were occasionally generating SBOMs that omitted components present only in non-amd64 layers. This has been corrected; re-pull affected images to receive an updated SBOM. +All Chainguard Container images now run as a non-root user by default, aligning with Chainguard's security-hardening standards. Review your workloads for root requirements and set `securityContext.runAsUser: 0` (Kubernetes) or `--user root` (Docker) where needed. --- ## March 15 2026 -{{< changelog-label "Breaking Change" >}} +{{< changelog-label "Update" >}} -#### Default container user changed to non-root across all images - -All Chainguard Container images now run as a non-root user by default, aligning with Chainguard's security-hardening standards. Review your workloads for root requirements and set `securityContext.runAsUser: 0` (Kubernetes) or `--user root` (Docker) where needed. +#### OpenSSL updated to address CVE-2026-XXXXX in all images -{{< changelog-label "Deprecation" >}} - -#### Legacy image tag format `YYYYMMDD` deprecated - -The date-stamped tag format (e.g., `image:20250315`) is deprecated and will be removed in Q3 2026. Migrate to the supported `:latest` or digest-pinned references before then. +All Chainguard Container images containing OpenSSL have been updated to address CVE-2026-XXXXX, a high-severity vulnerability affecting TLS handshake processing. Pull the latest version of any affected image; if you are pinned to a digest, update your digest reference. -{{< changelog-label "Enhancement" >}} +{{< changelog-label "Update" >}} #### Provenance attestations now included by default for all images @@ -58,8 +46,8 @@ All images now ship with signed provenance attestations conforming to SLSA Build Hardened images for PyTorch, TensorFlow, JAX, and common AI/ML tooling are now available in the standard Chainguard catalog, all built with zero known CVEs and including SBOMs. See the [AI/ML image catalog](/chainguard/chainguard-images/) for the full list. -{{< changelog-label "New Feature" >}} +{{< changelog-label "Deprecation" >}} -#### Chainguard Images now available in AWS Marketplace +#### Legacy image tag format `YYYYMMDD` deprecated -Chainguard Container images can now be pulled directly through AWS Marketplace, simplifying procurement and enabling consolidated billing. See the [AWS Marketplace listing](#) for setup instructions. +The date-stamped tag format (e.g., `image:20250315`) is deprecated and will be removed in Q3 2026. Migrate to the supported `:latest` or digest-pinned references before then.