Migration on

Find a Matching Chainguard Image Using the API

Tue, 26 May 2026 00:00:00 +0000

This guide walks through calling the Chainguard Image Matcher API to find the best Chainguard equivalent for an existing container image. It assumes you already have an SBOM for the image you want to migrate.

For background on how the matcher works and how it scores recommendations, see Image Matcher Overview.

Prerequisites

Before getting started, you will need:

Migrating to PHP Chainguard Containers

Thu, 04 Apr 2024 15:56:52 -0700

Chainguard’s PHP containers provide enhanced security for PHP applications through minimal, purpose-built images that significantly reduce attack surface. Built on Wolfi, these containers achieve dramatically fewer vulnerabilities compared to traditional PHP images while maintaining full compatibility with PHP workloads. Daily automated builds ensure applications receive the latest security patches without manual intervention.

This article will assist you in the process of migrating your existing PHP Dockerfiles to leverage the benefits of Chainguard Containers, including a smaller attack surface and a more secure application footprint.

Image Matcher Overview

Tue, 26 May 2026 00:00:00 +0000

The Chainguard Image Matcher is an API-based tool that analyzes the software bill of materials (SBOM) of an existing container image and returns a ranked list of Chainguard images that most closely match it. It is designed to support migration workflows where you know what you are running today and want to find the best Chainguard equivalent.

How it works

You supply an SBOM for your current image, along with the source Linux distribution. The Image Matcher maps the packages in your SBOM to Chainguard APK packages, scores each candidate Chainguard image based on how well its contents cover your requirements, and returns a ranked list of recommendations with confidence scores.

Migrating to Node.js Chainguard Containers

Thu, 09 May 2024 15:56:52 -0700

Chainguard’s Node.js containers offer a streamlined migration path for applications seeking enhanced security posture through minimal, distroless design. Built on Wolfi, these containers significantly reduce attack surface compared to traditional Node.js images, resulting in fewer vulnerabilities and smaller image sizes. Daily automated builds ensure your applications always have the latest security patches without manual intervention.

What is Distroless?

Distroless container images are minimal container images containing only essential software required to build or execute an application. That means no package manager, no shell, and no bloat from software that only makes sense on bare metal servers.

What is Wolfi OS?

Wolfi is a community Linux undistro created specifically for containers. This brings distroless to a new level, including additional features targeted at securing the software supply chain of your application environment: comprehensive SBOMs, signatures, daily updates, and timely CVE fixes.

What are multi-stage builds?

Multi-stage builds are a Docker feature that allow you to use multiple FROM statements in a single Dockerfile, where each statement begins a new build stage. In a typical pattern, an early stage uses a full-featured builder image to compile code or generate artifacts, while a later stage uses a minimal runtime image and copies in only what's needed to run the application. Only what you explicitly copy from one stage carries forward — everything else is discarded when that stage completes.

Migrating to Python Chainguard Containers

Thu, 02 May 2024 15:06:00 -0700

Chainguard’s Python containers provide a migration path to significantly reduce vulnerabilities in Python applications while maintaining full compatibility with existing workloads. This guide explains how to migrate your containerized Python applications to benefit from Chainguard’s enhanced security posture and daily updates.

Chainguard Containers are built on Wolfi, a distroless Linux distribution designed for security and a reduced attack surface. Chainguard Containers are smaller and have low to no CVE. Our Chainguard Containers for Python are built nightly for extra freshness, so they’re always up-to-date with the latest remediations.

Migrating to .NET Chainguard Containers

Wed, 05 Nov 2025 00:00:00 +0000

Chainguard’s .NET container images provide a security-hardened foundation for building and running applications with significantly fewer vulnerabilities than .NET images provided by Microsoft. Chainguard’s .NET container images maintain full .NET compatibility while dramatically reducing the attack surface.

This guide demonstrates migrating a .NET application from Microsoft’s official images to Chainguard’s .NET container images by comparing two nearly identical versions of an application side-by-side. This guide also highlights concrete examples of the security improvements resulting from migrating to Chainguard Containers.