About Chainguard Containers on

Chainguard Criteria for Determining Whether to Build a Container Image

Mon, 13 Jan 2025 11:07:52 +0200

There are currently over 2,000 Chainguard Containers and that number is always growing as we add more to our expanding catalog.

If you would like a Chainguard Container that is not yet available, or inquire about whether we would build a given container image, Chainguard will endeavor to perform an analysis on the request. Chainguard aims to build new container images that are relevant to our customers and to support broader software security goals. However, it is not always feasible to package and build software. Please note that we have the following general criteria when considering requests.

Chainguard Shared Responsibility Model

Thu, 17 Oct 2024 11:07:52 +0200

Chainguard’s mission is to be the safe source for open source. As part of this mission, Chainguard builds all of our packages and images from upstream open source code and delivers the resulting artifacts to our customers. There are three distinct parties involved here: Upstream projects, Chainguard, and Customers; each of these parties share some measure of responsibility across a few dimensions.

This guide is an overview of Chainguard’s Shared Responsibility Model: a framework that outlines the security responsibilities of upstream open source software projects, Chainguard, and its customers. The dimensions of shared responsibility this guide covers are:

Getting Started with Distroless Container Images

Thu, 21 Mar 2024 08:49:31 +0000

About Distroless Container Images

Distroless container images, like the ones built by Chainguard, are a type of container image designed to include only essential software required to run an application or service. Unlike traditional images based on Debian or Ubuntu — which include package managers, utilities, and shells — Chainguard’s distroless images remove these components to significantly reduce attack surface and minimize vulnerabilities.

How Chainguard Containers are Tested

Thu, 21 Mar 2024 11:07:52 +0200

Chainguard Containers are minimal, distroless container images that you can use to build and run secure applications. Given the importance of secure, highly performant images, Chainguard performs testing to ensure our container images match the functionality of upstream and other external counterparts.

This article provides a high-level overview of Chainguard’s approach to testing when building new container images to ensure their security and consistency with comparable container images.

Build requirements for new container images

Chainguard has a set of requirements in place that new container images must meet in order to be included in our Containers Directory. These requirements fall into two categories:

Chainguard's container variants

Fri, 01 Nov 2024 07:52:00 +0200

Chainguard Containers follow a distroless philosophy, meaning that only software absolutely necessary for a specific workload is included in an image. Designed to be as minimal as possible, Chainguard’s standard container images do not contain package managers such as apk, shells such as b/a/sh, or development utilities such as Git or text editors. However, this distroless approach isn’t suitable for every use case. For this reason, most Chainguard Containers have what’s called a development variant.

Chainguard Containers Product Release Lifecycle

Mon, 08 Jan 2024 08:49:31 +0000

Chainguard Containers are able to offer few-to-zero known vulnerabilities because they are updated frequently. Because of this continuous release cycle, the best way to mitigate vulnerabilities is to use the newest build of each Chainguard Container available. Chainguard keeps Containers up to date by doing one or more of the following:

Applying new releases from upstream projects
Rapidly applying upstream patches to current releases — you can read more about this in our blog post, “How Chainguard fixes vulnerabilities before they’re detected”
Applying Chainguard patches to OSS software

Upstream projects are updated frequently for many reasons, including to combat CVEs, and Chainguard ensures that the most up-to-date software is available in all Chainguard Containers. Additionally, Chainguard often identifies CVEs and other issues before scanners can detect them, so Chainguard may offer a patch to a vulnerable dependency to support Chainguard Containers with few-to-zero vulnerabilities.

Understanding Chainguard's Container Image Categories

Thu, 03 Apr 2025 11:07:52 +0200

Chainguard Containers are a collection of curated, distroless container images designed with a focus on software supply chain security. Chainguard’s container images are designed to be slim runtimes for production environments, emphasizing security and efficiency by removing unnecessary elements. Additionally, the images are designed to be easily integrated into existing workflows, helping organizations to build better, more secure software.

Within the Chainguard Containers Directory, Chainguard Containers are organized into five general categories (with some falling into multiple categories):

Working with Containers for Compiled Programs

Mon, 26 Aug 2024 18:42:57 +0000

How Chainguard Creates Container Images with Low-to-No CVEs

Fri, 31 May 2024 12:21:01 +0000

Tools and resources used in this video

Note: In November 2024, after this article was first written, Chainguard made changes to its free tier of container images. In order to access the non-free container images used in this guide, you will need to be part of an organization that has access to them. For a full list of container images that will remain in Chainguard's free tier, please refer to this support page.

Package and Image Name Mappings

Thu, 23 Oct 2025 11:07:52 +0200

When migrating to Chainguard Containers, you may notice that some package and image names differ from their upstream counterparts. This guide explains why these mappings exist and provides a comprehensive reference of how Chainguard maps image and package names to our container ecosystem.

Why Chainguard Remaps Package Names

Different Linux distributions often use different names for the same software. For example, Debian calls its C compiler package build-essential, while Alpine calls the equivalent package build-base and Fedora uses gcc and related packages. Chainguard Containers standardize these names to provide consistency regardless of which distribution you’re migrating from.

Can anybody build Chainguard Containers themselves?

Sat, 02 Aug 2025 16:00:00 +0000

Transcript

Interviewer: But everything is open source—can anybody build the images themselves?

Beyond Zero: Eliminating Vulnerabilities in PyTorch Container Images (PyTorch 2024)

Sat, 07 Sep 2024 01:21:01 +0000

Recording of Beyond Zero: Eliminating Vulnerabilities in PyTorch Container Images presented by Dan Fernandez, Srishti Hegde, and Patrick Smyth at PyTorch 2024

Session Description

Container images are increasingly the future of production applications at scale, providing reproducibility, robustness, and transparency. As PyTorch images get deployed to production, however, security becomes a major concern. PyTorch has a large attack surface, and building secure PyTorch images can be a challenge. Currently, the official PyTorch runtime container image has 1 CVE (known vulnerabilities) rated critical and 5 CVEs rated high. Improving this situation could secure many deployments that incorporate PyTorch for cloud-based inference or training. In this fast-paced session, we took a deep dive on the official PyTorch image from a vulnerability mitigation perspective, looking hard at included packages, executables, and active CVEs. We identify low-hanging fruit for increasing security, including stripping bloat and building fresh. We also talk about the next level of security practiced in Chainguard’s PyTorch image builds, such as including SBOMs and going distroless. Finally, we consider emerging tools and approaches for analyzing AI artifacts such as models and how these systems can benefit PyTorch in production.

Chainguard Container Catalog Pricing

Tue, 19 Aug 2025 08:49:31 +0000

Chainguard offers Catalog Pricing for our library of secure container images, providing access to the full catalog of Chainguard Containers. Catalog Pricing enables you to add individual images from the wider Chainguard catalog to your organization’s repository using the Self-Serve Catalog Experience.

This article highlights the benefits of the Catalog Pricing plan and outlines how you can provision container images through the Self-Serve Experience.

Catalog Pricing

The Catalog Pricing model provides a single subscription that grants unlimited access to the full catalog of container images maintained by Chainguard. This model removes the need for per-repository licensing and offers predictable monthly or annual costs. Subscriptions can include FIPS-compliant images, depending on the selected tier.

Chainguard Catalog Starter

Mon, 09 Mar 2026 07:52:00 +0200

Chainguard Catalog Starter is a way to try production-grade Chainguard Containers for free, without committing to a full subscription. It lets you choose a set of five container images from the broader Chainguard catalog so you can validate security, performance, and operational fit in your own environment before you buy.

Note: Chainguard Catalog Starter is in beta.

What is Catalog Starter?

With Chainguard Catalog Starter, users can choose any five non-FIPS images from our catalog of secure-by-default containers. Any Helm charts that depend on those images are included and count toward the five-image limit.