In the latest OpenSSF Tech Talk, we focused on a significant hurdle in software supply chain security: managing software delivery and upkeep within air-gapped and restricted network environments. You can now view the recording on the OpenSSF YouTube channel, and the presentation slides are accessible here.
Moderated by Eddie Knight from Sonatype and featuring Brandt Keller and Kit Patella of Defense Unicorns alongside Dan Miller from Boeing, the session explored the practical realities of air-gapped DevSecOps, where security, compliance, and connectivity collide, and how Zarf, an open source project under the OpenSSF, is making this easier.
Why Air-Gapped Environments Are So Challenging
Even in “connected” organizations, connectivity is rarely absolute. Expiring tokens, blocked registries, and unreachable CVE feeds can silently break workflows. For teams working in regulated sectors like defense, healthcare, and finance, those same issues can completely halt deployment pipelines.
As Brandt explained, air-gapped or partially connected systems face a long list of constraints:
dependencies that need mirroring, policies that assume constant connectivity, patching processes that introduce new scrutiny requirements, and observability gaps caused by the absence of remote telemetry. The result is often a paradox – security teams want to patch fast, but the process of patching itself requires slow, manual validation.
“Air-gapped environments force us to think differently,” Brandt said. “You have to verify everything before it crosses the boundary.”
How Zarf Bridges the Gap
That’s where Zarf comes in. Designed for secure, repeatable software delivery, Zarf packages everything your application needs, including images, Helm charts, manifests, binaries, and configuration files into a single declarative tarball.
Kit walked attendees through a live demo showing how Zarf’s create and deploy lifecycle simplifies this process.
- On the connected side, developers can build packages, generate SBOMs automatically, and verify dependencies before deployment.
- On the air-gapped side, operators can deploy the same package with a single command, without worrying about external registries or broken dependencies.
The result is a workflow that’s reproducible, auditable, and secure by default, while also reducing the cognitive load on engineers who maintain systems under strict isolation.
“It’s not about building new tools,” Kit explained. “It’s about building trust into how we deliver software.”
Lessons from the Field: Boeing’s Experience
Dan Miller from Boeing shared how his team transitioned from a tangle of manual scripts and custom Ansible playbooks to a standardized Zarf-based workflow.
Before adopting Zarf, deployments involved hand-crafted tarballs, external registries, and countless hours spent coordinating dependencies. “We were reinventing the wheel every time,” Dan said.
Now, Boeing uses Zarf to create reusable, declarative packages for each application and bundle them into “packages of packages” for platform rollouts. Zarf’s built-in registry, SBOM tooling, and YAML-based structure eliminated much of the custom scripting that once slowed down deployment.
“It just works,” Dan added. “Zarf turned a process that took days into something repeatable, inspectable, and easy to maintain.”
Beyond Air Gaps: Why Zarf Matters for Everyone
While Zarf was designed for fully disconnected systems, its benefits extend to mixed-connectivity and enterprise environments. By pre-packaging dependencies, organizations can minimize reliance on fragile network paths, avoid downtime from external service outages, and improve traceability for compliance.
As Brandt noted, “Air-gapped software delivery is really just an extreme version of a problem we all face – how to make our software supply chains more predictable and secure.”
Zarf’s philosophy aligns closely with OpenSSF’s mission: making secure-by-design software accessible to everyone. Its packaging model naturally incorporates SBOMs, signatures, and provenance information, helping teams bake security into their workflows rather than bolting it on later.
The Human Element
One of the strongest takeaways from the session came from Kit:
“If an organization believes that making developers’ lives easier creates value, then tools like Zarf make sense.”
That sentiment captures the essence of DevSecOps – empowering people through better processes and open collaboration. When the secure path is also the easiest path, adoption follows naturally.
Join the Conversation
The Zarf Tech Talk is available to watch on OpenSSF YouTube and slides are available here.
If you’re experimenting with air-gapped or sovereign cloud deployments, or simply want to strengthen your secure delivery pipeline, join the discussion in the OpenSSF Slack and explore the Zarf project on GitHub.
Stay tuned for more upcoming Tech Talks as we continue to showcase tools, frameworks, and real-world lessons that make open source software more secure for everyone.