Chainguard

Chainguard provides a catalog of 1,700+ minimal, zero-CVE container images built continuously from source in hardened infrastructure. The images are distroless, containing only essential runtime components without shells or package managers, dramatically reducing attack surface while improving performance. Chainguard offers industry-leading SLAs for vulnerability remediation: 7 days for critical severity CVEs, 14 days for high, medium, and low severity vulnerabilities. The platform includes developer images (-dev variants) with necessary build tools while maintaining production readiness. Built on Chainguard OS (based on Wolfi), the images feature continuous updates, rapid security patching, and minimal package sets. The platform demonstrates a 97.6% reduction in CVEs compared to standard open-source equivalents and includes SBOM generation, software signatures via Sigstore, and tag history APIs for version tracking. Compatible with all major container scanners including Grype, Prisma Cloud, Snyk, Trivy, and Wiz. Chainguard Factory automates the building, testing, patching, and release of container images using a Kubernetes-based pipeline platform.