Chainguard
Chainguard, founded by former Google engineers with deep experience in Linux distributions and supply chain security, is a provider of hardened, continuously updated, “zero-CVE” open-source software packages, from base operating system images to minimal container images, language libraries, and virtual machine appliances. The company focuses on devsecops teams, with solutions designed to give both developers and security architects a more trustworthy foundation for building and running software.
The flagship offering is a rolling Linux distribution backed by security SLAs: seven days for critical vulnerabilities and 14 for others, though the average fix time is under 48 hours, according to the company. Chainguard says it maintains a growing catalog of more than 1,600 container images, expanding by about 100 per month, each built directly from upstream source rather than derived from another distribution. This “farm-to-table” approach ensures the entire tool chain, including compilers, runtimes, and dependencies, is rebuilt, retested, and re-released within hours of an upstream update.
Chainguard Libraries are secure builds of widely used Java and Python packages, with Node.js libraries next on the roadmap. Chainguard says that building libraries from source addresses a common gap, where developers fetch third-party code directly from the internet without the protections of a packaged distribution. A third product line, Chainguard Virtual Machines, applies the same minimal, hardened philosophy to purpose-built VM appliances, often used as Kubernetes worker nodes or in scale-out cloud deployments. In many cases, container images from the Chainguard catalog can be rendered as bootable VM appliances for workloads that require full OS-level access to hardware resources.
