Chainguard

How many of you have been in this situation? Your scanners just flagged yet another high severity CVE in one of your python applications, you have a huge feature release coming up in only a few days, and you're stuck on an older version of a critical dependency that you can't update safely. If this sounds familiar, my team and I at Chainguard may be able to help. My latest blog post goes over how the Chainguard Factory backports patches for our Python Libraries product. You'd be surprised how many technical challenges there are when backporting patches at scale. For example - How do you compare a backported patch to an upstream patch? - How do you ensure that a patch really does fix a vulnerability? - How do you know for sure the patch even comes from the real upstream project? My team and I have spent a lot of time recently thinking about these problems. This blog post covers some of the answers we have found. https://lnkd.in/gUpVq-kv

If you’ve ever felt like security reviews are slowing down your sales cycles, you’re not alone: Procurement asks for SBOMs. Customers want proof of provenance. Security teams send long questionnaires. Security and compliance aren’t an afterthought anymore...they’re part of the buying criteria. If this sounds too familiar, Sam Katzen breaks down how we help engineering teams build software that is easier to trust, easier to buy, and built to scale. ⚖️ https://lnkd.in/ebdnrcq8

Zero CVEs sounds great. But what if the vulnerability is still there? I had a hand in this new deep dive by Chainguard Research that examines how Docker Hardened Images handle certain Debian “no-DSA” CVEs — and why that approach deserves a closer look. A no-DSA does not mean “not affected.” It means Debian has chosen not to issue an out-of-cycle security advisory. In multiple cases highlighted in the report (vulnerabilities in glibc, ncurses), CVEs with upstream fixes available remain present in Docker Hardened Images, yet are marked as “not affected” in VEX documents because Debian labeled them no-DSA. No patch was applied and the vulnerability still applies, but the CVE is suppressed when scanning DHI images using VEX or with Docker Scout. Docker is in a bit of a difficult spot on CVE that Debian chooses not to prioritize. Docker could cherry-pick the upstream commit to apply to their DHI images, but then they’d be effectively maintaining a fork of Debian. Alternatively, they could take the hit, not suppress the CVE in published VEX documents, and let Docker Scout detect the CVE, which legitimately applies to many DHI images (golang, python, postgres, nginx, and many others). Ultimately, Docker should not suppress CVE in this way. How vendors achieve zero CVEs matters. If no patch is applied, a vulnerability should appear in CVE scans. Patch or surface, don't hide. Full post: https://lnkd.in/ecc5gJAD

Excited to discuss the benefits of golden images with Ayesha Bhutto at Chainguard Assemble this year! Stop by our Lightning Talk at 1pm on March 17th if you’re attending!

The :latest tag has a reputation. We’ve been told to avoid it at all costs. It’s unpredictable. It breaks builds. It’s “not production safe.” But what if the problem isn’t latest, it’s how we use it? Adrian Mouat breaks down why :latest isn’t inherently insecure, and how pairing it with digest pinning and automated updates can actually give you both velocity and reproducibility. 💡 https://lnkd.in/efSAVhRg

Today, we’re announcing a major expansion of Chainguard Libraries across JavaScript, Python, and Java. We’re delivering broad, malware-resistant dependency coverage to the ecosystems that power 70-90% of enterprise applications. 👏 ✅ 94% Python dependency coverage across our customers’ environments 📦 ~1M Java dependency versions rebuilt (Spring Boot, Jackson, Log4j & more) 🟩 88% coverage of npm’s top 500 high-impact packages  🧠 500K+ Python versions built, including complex AI libs like PyTorch and torchvision Every library is rebuilt from publicly verifiable source code in the SLSA L2-compliant Chainguard Factory. This means it is built with signed provenance and SBOMs, so teams know their artifacts match source code bit-for-bit. ❓Why does this matter❓ Over the last year, researchers uncovered 450,000+ malicious open source packages…that is roughly one every minute. Engineering teams shouldn’t have to choose between moving fast and staying secure. Chainguard Libraries delivers open source dependencies as trusted infrastructure, eliminating the trade-off between development velocity and security. Learn how we’re helping enterprises and AI innovators move fast without compromising trust (linked in comments).

We're launching a new mini-series called 'Hard Truths', where we ask an expert to share an uncomfortable truth in 60 seconds. 🥊 In our first video, Patrick Smyth explains why he thinks agentic attacks will double this year and how people with low to no skills can now launch sophisticated attacks on software. Do you agree? ✨ P.S.: If you or someone you know has a hot take... tag them in the comments!

Grateful to the Chainguard team for being a true partner in helping us achieve FedRAMP High certification and making security our biggest sales asset 🙏🏼 Chainguard is a huge accelerator for both our tech and sales, as our focus on security has helped us actively expand existing relationships, grow our average contract value, and bring on new customers with DoD high compliance needs. Appreciate their tech and their team! Shoutout to Mustafa Megahed and Sarah Haberman for all the support. Now our engineers can focus more time on building and less on chasing security fixes. Check out the full case study below!

GovSignals transformed security into a growth accelerator by building on secure-by-default Chainguard Containers, enabling them to: • Achieve and support FedRAMP High authorization with a hardened, compliant foundation • Eliminate 10,000+ CVEs, dramatically reducing risk and remediation overhead • Maintain the velocity of a lean engineering team, without slowing innovation Read the full case study: 🫰 https://lnkd.in/gb5GKhRg