Scaling Chainguard Images with a growing catalog and proactive security updates
In 2022, we introduced Chainguard Images, our suite of minimal, hardened container images that only contain what is required to build or run your application, delivering on average a 97.6% reduction in CVEs.
Since then, we’ve seen developers, maintainers, and enterprise organizations benefit from Chainguard Images’ secure baseline foundation for containers, which includes up-to-date image versions that are patched daily, a reduced attack surface and build-time SBOMs that are cryptographically signed by Sigstore.
As container adoption becomes ubiquitous across the industry, the Chainguard Images solution is one of the best ways to support and secure the next generation of container and cloud-native application development.
Today, we are announcing several updates to Chainguard Images that will better support development teams as they work to secure their software supply chain:
Chainguard Images Catalog: We currently offer our Chainguard Images public catalog for no cost to users. Today, we're introducing a paid catalog, with Standard and Custom subscription catalogs, featuring enterprise-grade patching SLAs and customer support in addition to the features we provide for all Chainguard Images like SBOMs, signatures and SLSA Build Level 2 provenance information.
Authentication for proactive security guidance: One of the key challenges image maintainers and providers face today is notifying their users about critical updates or information for the images they pull. This can range from version deprecations to breaking changes that require user or customer action to important CVE notices that need to be communicated quickly and clearly. To improve this process, we are encouraging Chainguard Images users to log in to pull our Images so that we can quickly notify of these important image lifecycle events, and maintain our images with the highest standards of security. Please see our “how to” steps below for important log in information.
Reliable infrastructure: In order to provide a reliable and sustainable Chainguard Images product, we built our own registry. None of the container registries on the market today enable the level of feature or cost control (such as egress) to let us provide the solution we wanted, and so we leveraged our team’s extensive experience operating hyperscale container registries to build our own. Our registry addresses these pain points and enables us to sustainably support widespread usage and provide a reliable product foundation for all of the container images we offer.
Chainguard Images currently support more than 100+ images, including popular build and development tools, applications, middleware, and language runtimes. Since their launch, Chainguard Images have been pulled over 14 million times, helping development teams around the world drastically reduce the daily headache of image version maintenance and CVE triage. In fact, recent research from Chainguard of popular container images found that when not updated, images can accumulate one known vulnerability per day.
“For years, our team struggled with minimizing and triaging CVEs in one of our most critical customer-facing images,” explained Diego Comas, Head of Security for Sourcegraph, the leader in Universal Code Search. “By switching to Chainguard Images, we almost immediately achieved zero-known CVEs in our customer image for the first time in two years, which significantly helped free up engineering and technical success resources to focus on customer innovation and removed the daily headache of vulnerability maintenance associated with that image.”
We're committed to providing the highest level of security, usability and quality for all of our Chainguard Images users. By offering these new features and paid products, we believe that we can continue to build upon our secure baseline foundation and offer even more value to our users as they look for developer-first tools that secure the software supply chain by default.
How to enable authentication for proactive security guidance
Setting up your account for authenticated access to Chainguard Images is simple:
Register online for a free Chainguard account
Run
chainctl auth configure-docker
to configure a credential helper that will automatically provide authentication credentials when pulling Chainguard Images from our registry, cgr.dev.
We also provide a number of options for authenticating, including integrated support for GitHub Actions and several other CI systems, pulling from Kubernetes, and even setting up federation using your organization's OIDC provider. See here for more information.
Logging in is optional, but it will be the primary mechanism we will use to notify users of upcoming changes moving forward. We encourage users of our free, public Images to start doing this today. Logging in will also give users access to browse our Images in the Chainguard platform.
One of the upcoming changes we will notify users about is streamlining our catalog to only offer :latest
tags for Images in the public tier. (including variants like :latest-dev
).
In 90 days on August 16, we will move all other tags, including version-specific tags, to the Standard and Custom catalogs. Using older versions of software introduces potential security risks and it's our priority to ensure our free Image versions are held to the highest security standards.
Free Images in our public catalog will remain available publicly without requiring authentication:
Images tagged
:latest
and:latest-dev
will be available without login required, and will automatically receive all version updates, including major and minor versions.
Images pulled by digest (that is,
@sha256:...
) will be available without logging in, but will not receive any updates or security fixes.
SBOMs, signatures and attestations for all Images will be available without logging in.
After August 16, while you can continue to pull :latest
images anonymously, you will need to authenticate in order for us to notify you of breaking changes or critical security updates.
Test drive Chainguard Images
You can try our Chainguard Images today to see for yourself how we're working to improve the container image landscape with a secure-by-default design. If you're interested in our paid products, reach out to our team for more information. Our Images inventory is always expanding. If you need something you don’t see listed in our catalog, we can build custom bundles or single-custom images. If you are an existing Chainguard Images enterprise customer, today’s updates have no impact or changes for your current tier or pricing structures.
Interested in seeing how we approach building our Images and what makes them more secure than the alternative options? Join Chainguard CEO Dan Lorenc on May 23rd for a live demo session on building Chainguard Images. Register here.
A note to our community of public users
Finding the perfect balance between usability and software hygiene best practices is almost always difficult to strike. Part of our mission at Chainguard is to help developers everywhere build software right from the start, not after the fact. With today’s changes we are aware that a small subset of existing Chainguard Images users using our free, public catalog may encounter breaking changes once authentication for the latest image version is required.
We understand that there are other image options that have support for longer life cycles of older versions. Our intent with these changes again is to help developers build software right from the start and using the latest version of images is one way to enable this. We welcome your feedback on these changes as we chart this new territory for the broader software ecosystem.
With that being said, if you find that this change will impact how you are using Chainguard Images in the public catalog, please reach out to our team and we will work with you to ensure a smooth transition.
If you are an open source project and are interested in using Chainguard Images, we would love to discuss how we can support you and your project needs.
Ready to Lock Down Your Supply Chain?
Talk to our customer obsessed, community-driven team.