Chainguard
By Chainguard
Chainguard is a software supply chain security company that produces minimal, hardened, and continuously rebuilt container images designed to eliminate known vulnerabilities and provide verifiable provenance for every build.
Definition
Chainguard is a software supply chain security company that produces minimal, hardened, and continuously rebuilt container images designed to eliminate known vulnerabilities and provide verifiable provenance for every build.
Overview
Container images built from general-purpose base images tend to accumulate operating-system packages, libraries, and tools that an application never actually uses — each one a potential source of vulnerabilities. Chainguard's flagship product, Chainguard Images, addresses this by building minimal, often distroless images based on Wolfi, an undistro Linux build specifically designed for container use, rebuilt daily so that newly disclosed CVEs are patched quickly rather than lingering in stale images. Beyond minimizing attack surface, Chainguard emphasizes verifiable software supply chain security: images ship with a Software Bill of Materials (SBOM) and cryptographically signed provenance so teams can prove exactly what went into a build and where it came from, aligning with frameworks like SLSA (Supply-chain Levels for Software Artifacts). This work builds on the broader open-source supply-chain security movement — including projects like Sigstore for signing and verifying software artifacts — that some of Chainguard's founders helped originate. Chainguard images are designed as drop-in replacements for common base images used with Docker and Kubernetes, and are typically stored and scanned alongside other artifacts in registries such as Harbor. Because supply-chain security spans build pipelines, image registries, and deployment, Chainguard's approach is often taught as part of a broader DevSecOps practice.
Key Features
- Minimal, often distroless container images with drastically reduced attack surface
- Built on Wolfi, an undistro Linux distribution designed for containers
- Daily rebuilds to keep images patched against newly disclosed CVEs
- Signed provenance and Software Bill of Materials (SBOM) for every image
- Drop-in compatibility with common Docker and Kubernetes base images
- Alignment with supply-chain security frameworks such as SLSA
- Enterprise offerings for private, customized hardened image catalogs