Chainguard

What it is #

Chainguard is a commercial supplier of rebuilt-from-source artefacts: container images (Chainguard Images), language-level packages (Chainguard Libraries for Java, Python, and others), and a Linux base distribution (Wolfi) that the images are built on.

The product is not another way to audit existing packages; it is a different supply of packages. Customers replace the upstream artefact (python:3.12 from Docker Hub, a JAR from Maven Central) with the Chainguard-built equivalent. Each artefact ships with a Sigstore signature, a SLSA build provenance attestation, and an SBOM. There is no authoring workflow on the consumer side: pulling a Chainguard image is docker pull cgr.dev/chainguard/<image>, and pulling a Chainguard Library is a registry-URL change in the language’s package manager.

Trust model #

Trust in Chainguard is single-anchor and commercial. The customer trusts Chainguard, the company, to rebuild upstream sources cleanly and to sign the resulting artefacts. Verification is a Sigstore signature check against Chainguard’s identity, recorded in the public Rekor transparency log.

Chainguard’s claim about an artefact is about its build: this binary was produced from a specified source revision by Chainguard’s infrastructure, with no extra inputs. Their shared responsibility model frames Chainguard’s scope as building upstream releases, patching CVEs and toolchains, and producing conformant distributions; review of the upstream source for safety is not listed as part of it.

Comparison to OpenVet #

Chainguard and OpenVet address different layers of the same problem, and can be used together.

What is being attested. Chainguard attests where an artefact came from: which source revision was rebuilt, by which pipeline. OpenVet helps you make attestations about the code itself: whether it is malicious, whether it is implemented correctly, whether there are findings consumers should know about. Provenance and code review are different layers: a Chainguard image with a clean provenance chain has still not necessarily been read by anyone, and may contain bugs or vulnerabilities.

Trust set. Chainguard customers trust one signing identity: Chainguard’s. OpenVet consumers list one or more log URLs in openvet.toml, and each log is independently signed by its owner. One is a single commercial trust anchor, the other is a configurable set.

Scope of artefacts. Chainguard ships container images and a growing catalogue of language libraries built from a curated set of upstream sources. OpenVet covers the full package set of each supported ecosystem (Cargo, npm, PyPI, Go modules, RubyGems), since audits attach to packages that already exist in those registries.

Cost and access. Chainguard is a paid subscription, with a smaller free tier of public images. OpenVet is open infrastructure: running an audit log requires no agreement with anyone. Audits are licensed under permissive licenses, giving you the right to use them however you like at no cost.

Using alongside OpenVet #

The two tools answer different questions, and can be combined.

Build provenance normally needs upstream effort. A package maintainer has to opt into SLSA build attestations, npm provenance, or similar before downstream consumers get a cryptographic statement about how an artefact was produced. Chainguard sidesteps that for the packages it supplies, by rebuilding upstream sources itself and signing the result.

Different questions. “Where did this binary come from?” is a provenance question; Chainguard answers it. OpenVet is the infrastructure for authoring, hosting, discovering, and ingesting audits, so it surfaces answers to questions of the shape has anyone I trust said anything about this package?: is it audited at all, is it asserted to be free of malware (an is-benign claim), is it implemented correctly, are there findings worth reviewing. A package can be well-provenanced and unaudited, or thoroughly audited and shipped without any provenance.

Stacking them. Use Chainguard Images and Libraries for the artefact supply, and OpenVet to check whether the application’s own direct dependencies have been audited by people you trust. The two signals stack: a verifiable build chain for the runtime, and visibility into what reviewers have said about the source the application is built against.