Announcing Chainguard Custom Assembly: Image Customization Without Complexity

Now Available in Beta

We’re excited to announce the Beta release of Custom Assembly, Chainguard’s new image customization product that enables enterprises to consume zero-CVE open source software tailored to their unique requirements. Historically, proprietary customization workflows have been complex, difficult to maintain, and slow down development. This launch introduces capabilities that enable customers to dictate package additions to Chainguard Images, without investing in their own build pipelines and maintenance processes.

Customized images are built in Chainguard’s SLSA Level 2 hardened environment, using our secure-by-design builds and automation. That means images built via Custom Assembly will maintain the same engineering and security best practices as Chainguard’s standard containers, with all packages guarded under our CVE remediation SLA. See below for a product demo.

In this blog post, we’ll take you behind the scenes, revealing the motivations behind Custom Assembly and the value we deliver to customers.

Status Quo Challenges with Image Customization

Our customers asked, we listened. Some Chainguard customers told us that they cannot take standard, “off-the-shelf” Chainguard containers and deploy them straight to production. These customers need to add packages to their images, because 1) they have enterprise-wide requirements to add a minimal set of packages to every image (e.g., tools like curl, bash, jq, etc.), or 2) their teams need to make “last-mile” customizations that satisfy an application’s specific requirements.

To satisfy such requirements, customers were manually manipulating images via multi-stage Docker builds, standing up proprietary build pipelines to execute these customizations, and relying on brittle maintenance processes to support these customizations over time. Customers shared that these status quo workflows in image customization and maintenance were complex, cumbersome to maintain, and slowed down development. And importantly, manually adding packages to Chainguard Images means invalidating the end-to-end integrity of Chainguard Images and introducing software into production that is unguarded by Chainguard’s SLA. This status quo directly exposes customers to risk, in the form of production CVEs, and costly developer toils, as engineering teams now need to remediate those CVEs independently.

Chainguard’s Solution: Custom Assembly

To address these customer challenges, we built Custom Assembly, a platform that allows platform engineers and application developers to quickly and easily satisfy their customization requirements without spawning additional overhead, infrastructure, and maintenance sprawl. 

There are a few key pillars of value that Chainguard will deliver with Custom Assembly:

1. Customizations Without Complexity: Chainguard has built a robust software factory composed of secure-by-design build system, resilient automation, and robust CVE remediation capabilities. In exposing parts of Chainguard’s Factory to customers, users can produce images tailored to their requirements without standing up and maintaining their own builds. That means customers are saving costs in the form of infrastructure (COGS), engineering hours (opex), and complexity (hidden costs). Instead, Chainguard will continuously build and maintain their customized images.

2. Broader SLA Coverage: Today, Chainguard delivers an SLA for CVE remediation for all our container images. When customers re-configure our standard, off-the-shelf images, we cannot extend our SLA to their package additions because we do not have control over the build. Customers were thus responsible for maintaining these added packages at zero CVEs. With Custom Assembly, all packages included in the customized images – including those added to the stock image – will be guarded under our SLAs.

3. Preservation of End-to-End Integrity: Manual package additions invalidate the standard code signatures, attestations, and SBOMs that we provide with every standard image because Chainguard no longer has full control over the build. With Custom Assembly, users can fully preserve the end-to-end integrity of Chainguard Images while still implementing the customizations they require. Custom Assembly ensures customers have clear visibility into what is in their image and where those components come from.

4. Improved Developer Experience: Without Custom Assembly, developers have limited visibility for the packages underlying their Chainguard Images and must manually define package additions in a Dockerfile. This workflow is time consuming and brittle as it requires continuous maintenance by developers. With Custom Assembly, Chainguard users can easily see all their Chainguard packages in the UI and easily add any combination of packages to a standard image. Chainguard automation will then continuously build that image over time.

Getting Started with Custom Assembly

We’re excited to hear your feedback as you use Custom Assembly. Your feedback will play a key role in shaping Chainguard’s future plans to incorporate additional customization capabilities that deliver even more value.

If you’d like to learn more about Custom Assembly or how Chainguard’s minimal, zero-CVE containers can transform your software supply chain, reach out today. Existing Chainguard Images customers can get started with Custom Assembly by reaching out to your account teams and exploring our docs.