WizOS: A New Enterprise Linux Built on Alpine's Secure Foundation

The cloud security company, Wiz, is now in the Linux distribution business with its release of WizOS.

This is a hardened Linux distribution designed from the ground up for enterprise containers. It’s built on Alpine Linux‘s security and efficiency, but the company claims it has stricter security controls and does a better job of eliminating critical vulnerabilities. WizOS is now available in private preview for Wiz customers.

WizOS is engineered to address the persistent challenge of inherited vulnerabilities in container-based images. By adopting WizOS, enterprises can leverage a minimal, near-zero Common Vulnerabilities and Exposures (CVE) base image, ensuring that deployments are not halted by security flaws in shared components.

The distribution is compatible with Alpine’s architecture but transitions from Alpine’s musl libc C/POSIX library to glibc, broadening compatibility with a wider range of applications and dependencies while maintaining a lightweight footprint. This approach allows organizations to benefit from Alpine’s renowned efficiency and security, such as its small size (as little as 8MB in a container), rapid startup, and hardened toolchain, while overcoming compatibility limitations that sometimes accompany musl-based environments.

Not Merely a Repackaged Alpine

That said, WizOS is not just a repackaged Alpine but a fully reproducible, source-built distribution with a rigorous security model. Every component is built from source with signing and provenance, enabling organizations to “trust, but verify” what is running in their containers. The build pipeline is deterministic and tightly controlled, ensuring that only validated, secure components make it into production.

Wiz developed its own build pipeline for WizOS primarily to enforce stricter security standards and achieve a reproducible, deterministic, and auditable process for building container-based images. By contrast, Alpine uses a traditional package management and build system, Alpine Package Keeper (APK).

In an interview, Ariadne Conill, co-founder at Edera, the secure container runtime company and Alpine Linux’s maintainer, indicated she thinks Wiz might be better off pointing out the advantages of WizOS over traditional enterprise Linux distributions such as Red Hat Enterprise Linux (RHEL) than Alpine. “For commercial distributions, I think the key is to talk about the differences in design philosophy versus legacy distributions like RHEL.”

Rolling Release Software Delivery

Conill continued, “We’ve made rolling-release software distribution palatable to the enterprise. It turns out that there is actually demand in enterprises for rolling release software delivery, driven mostly by engineers who need modern software and tools. Trust and transparency are required for engineers to use the images and underlying distribution. The functional acceptance tests are public for packages in Alpine and Wolfi; This helps to build trust in the product, as skeptics can see the acceptance criteria for themselves and scrutinize it accordingly.”

It would be a mistake, Conill said, for Wiz to target Alpine as a competitive threat. If they do,  “they could lose all the benefits of Alpine, all the reasons they chose to base WizOS on Alpine. If Wiz chooses to engage with the Alpine community and the greater APK community, they will be poised to be quite successful. What I know for sure is that innovation happens at the grassroots level of these open source communities, and we need commercial interest to support that, for everyone’s benefit.”

Unfortunately, that’s precisely what Wiz has been doing. This may be an attempt to differentiate WizOS from Alpine, Wolifi, and the newly released Docker Hardened Images (DHI). Ironically, only days after WizOS was launched, Red Hat released RHEL 10, which, for the first time, is also an immutable Linux distribution.

Conill was right when she told me, “We are seeing a paradigm shift right now towards more composable and declarative images. Chainguard’s apko tool is a good example of this. NixOS, with its ability to output OCI images, is another. But Nix is intimidating and requires a lot of buy-in.”

She continued, “APK sits in a sweet spot: It’s still a declarative package manager, and it’s a transactional package manager as well. This gives you the safety guarantees of Nix, but in a more familiar and accessible setting.”

Wiz acknowledges the debt it owes to the broader open source and cloud-native community. Specifically, the company highlights the contributions of Google’s Distroless initiative, Red Hat’s Universal Base Images, Chainguard’s Wolfi OS, Docker’s minimal image efforts, and Alpine Linux itself.

Transitioning to WizOS

According to Wiz, transitioning to WizOS is straightforward for teams already using Alpine-based images, requiring only minor adjustments to Dockerfiles and Helm charts. For organizations using Ubuntu or Debian, the company warns that the migration process is more involved but remains manageable, especially for those with Golang-heavy architectures and lightweight dependencies.

The company has also invested in robust testing infrastructure, ensuring that new versions of WizOS undergo full functional validation and end-to-end testing before release. This focus on stability and security at scale sets WizOS. Wiz claims, apart from other container-based images, which often prioritize “latest” features over long-term reliability.

With the launch of WizOS, Wiz is attempting to position itself as a leader not only in cloud security but also in the secure software supply chain. By providing enterprises with a hardened, Alpine-inspired Linux distribution, Wiz aims to help organizations “start secure and stay secure,” embedding security into every layer of their cloud native infrastructure.” That said, as Conill observed, “Alpine and Wolfi [already] control a large portion of overall base image share. I would argue that cloud native practitioners are already familiar with APK.”

For now, WizOS is available in private preview, with broader availability expected as the platform matures and enterprise demand grows. Organizations interested in adopting WizOS can contact their Wiz account teams for more information and early access. You can then make your own call as to which, if any, immutable Linux distribution is what you and your company need.