Milestone: 1,000 Secure Container Images and Over 100 Work Years Saved

Today marks a significant milestone: Chainguard's catalog now includes 1,000 secure container images, covering the most popular open source projects, languages, and libraries used by millions of developers worldwide. Over 100 enterprise customers including Anduril, Canva, Cyera, Snowflake, and Wiz have adopted these images to strengthen their software development lifecycle. We've remediated more than 54,000 CVEs, saving our customers' teams over 216,000 engineering hours (or, divided by 40 hours per week, 103 “work years”).

It’s thanks to our talented team and incredible customers that we’ve gotten to this point on our three-year anniversary. As founders, we can’t help but find ourselves reflecting on how far we have come, why we chose to embark on this journey, and why we navigated a path that some folks told us was the harder way to do things when it comes to securing the open source software we all depend on. 

The Hard Path to Better Security

As a CISO at one of our customers put it:

"What you do isn't magic. You do something difficult. You do it really well. And you do it for a sustained period of time. That's how value is created."

The journey to this point started a decade ago when Dan Lorenc and I created the distroless project at Google—the first hardened, minimal base images. While that project proved the concept by leveraging Debian's work, we recognized its limitations. When founding Chainguard, we chose to take the more challenging but ultimately superior approach: building everything from source.

By the time we started Chainguard, we pretty clearly understood the limitations of the traditional distroless approach and understood that if we wanted to make Chainguard Images the compelling product it is today, we were going to have to “run headfirst towards an extremely difficult, but ultimately better, approach.” 

This decision enables us to:

• Deliver industry-leading CVE remediation SLAs

• Provide comprehensive SBOMs and provenance attestation

• Support diverse software version requirements

• Enable advanced compiler hardening features

• Eliminate CVEs even in non-minimal images

• Patch vulnerabilities faster than mainstream distributions

Being able to deliver in these areas allows our customers to have peace of mind that the images they are using are not only secure from the jump, but also receive best in-class support as the images are integrated into their production environments. Us building from source enables Chainguard Images users to focus on building, rather than patching and remediating vulnerabilities.

Building Trust Through Independence

Ultimately our goal of zero CVEs only has the desired impact if our customers’ CVE scanners report zero CVEs, and by creating our own distribution, we made things harder for ourselves. This choice meant we had to reach out to more than a dozen open source projects and proprietary vendors and work with them to integrate support for Wolfi and Chainguard. You might ask: Why not just build our own scanner?

We see this as a major conflict of interest. We believe that CVE scanners should act as an independent audit of our zero CVE commitment. Key word: independent. Does it make things harder? Absolutely, but it is worth it for the confidence it gives our customers. Additionally, we have been able to partner with many leading open source and enterprise vulnerability scanners from AWS, Snyk, GitLab, GCP, and others to create an ecosystem that helps prioritize the remediation of vulnerability scan results.

Assembling World-Class Expertise

Success required building deep Linux distribution expertise. Starting with Ariadne Connill's Alpine experience, we've grown to include veterans from Debian, RedHat, and Ubuntu under the leadership of Dustin Kirkland, our VP of Engineering. To accelerate our growth, we've recently made key leadership additions: Liz Egan, former CMO at Lattice, Yext, has joined as SVP of Marketing, while Rob Finn, previously with Wiz and Palo Alto Networks, leads our EMEA expansion as VP of International Sales. 

The Impact

Three years in, the results validate our approach. As one customer noted: "Before Chainguard, we thought of this problem as intractable."

Chainguard Images has demonstrated clear value by eliminating CVE remediation toil, reducing security risks, and helping companies achieve compliance certifications. As adoption grows and customer impact scales, we continue expanding our capabilities.

The look of amazement when customers first see zero CVEs in their images reminds us why we chose the harder path—because solving difficult problems allows the real magic, building world-changing tools, products, and solutions, to happen.

Want to see this "magic" firsthand? Reach out to learn how our images can help you, or meet us at KubeCon North America in Salt Lake City, November 11-15.