Assemble 2026: Opening Keynote

With Dan Lorenc, CEO & Co-Founder of Chainguard

In the opening keynote of Chainguard Assemble 2026, we announced Chainguard OS Packages, Chainguard Catalog Starter, Chainguard Commercial Builds, Chainguard Repository, Chainguard Actions, Chainguard Agent Skills, and the Guardener. Chainguard CEO and Co-Founder Dan Lorenc is joined by several guests from organizations such as OpenAI, GitLab, and MRI Technologies to discuss how software development is changing in 2026 with the acceleration of AI, and how organizations are adapting.

AI in the SDLC Panel: Friend, Foe, or Both?

With Trey Caliva (Staff Platform Engineer, Abridge AI), Dwayne McDaniel (Senior Developer Advocate, GitGuardian), Jon Ceanfaglione (Chief Architect, DevSecOps and IT Automation Practice, IBM Federal), and Emilia David (Writer, VentureBeat)

AI is transforming the software development lifecycle: accelerating delivery while introducing new risks. In this session, we'll examine where AI adds value, where it creates vulnerabilities, and how to set guardrails that balance speed with security. You'll leave with a practical framework to decide when to embrace AI, when to be cautious, and how to prepare for what's next.

Cracking the Compliance Code: Building Trust for Government-Grade Cloud Security

With Vijaya Ganesh Varadaraja Muthukumar (Director of Product Engineering, Platform, Iron Mountain), Matt Conner (CISO, Second Front), Rob Gil (Sr. Director, Federal Architecture, Okta), Katie Norton (IDC Analyst), and Quincy Castro (CISO, Chainguard)

FedRAMP is the benchmark for cloud security in the federal space, but achieving it is complex and resource-intensive. This session breaks down the new compliance requirements, why it matters beyond government contracts, and how to integrate best practices into everyday workflows.

Product Deep Dive: Chainguard Libraries

With Angela Zhang (Senior Product Manager, Chainguard), Ross Gordon (Staff Product Marketing Manager, Chainguard), and Bria Giordano (Director, Product Management, Chainguard)

Chainguard Libraries are drop-in, malware-resistant replacements for your Python, Java, and JavaScript dependencies. In this session, we'll explore how we close the "integrity gap"—the risk that allowed the Shai-Hulud worm and the hijack of Chalk and Debug to bypass traditional security tools. You'll see what's next on the roadmap, learn how these libraries integrate into your existing builds, get a sneak peek into the Chainguard Factory, and discover how to eliminate the constant fire drills and manual triage that exhaust your engineering teams.

Product Deep Dive: Chainguard Containers

With Billy Lynch (Staff Software Engineer, Chainguard) and Sam Katzen (Director, Product Marketing, Chainguard)

Chainguard Containers deliver secure, minimal, and continuously maintained container images designed to eliminate vulnerabilities and reduce supply chain risk. In this session, we’ll explore the Chainguard Containers roadmap — what's new, what's next, and how upcoming features will make it even easier to maintain compliance and security at scale. You'll see how Chainguard Containers integrate into existing workflows, improve developer productivity, and provide a stronger foundation for running software in production.

Building the Business Case for Trusted Open Source

With Ed Sawma (VP, Product Marketing, Chainguard) and Adeel Saeed (SVP, CTO, Kyndryl)

Open source is the engine of innovation, but when vulnerabilities slip in, they also become a hidden cost center. You'll walk away with the data and narrative you need to build executive-level support for secure, trusted open source programs that are a strategic growth lever.

Attacks Rewritten: Where Malware Enters the Build

With Manfred Moser (Sr. Principal Developer Relations Engineer, Chainguard) and Patrick Smyth (Principal Developer Relations Engineer, Chainguard)

Most supply chain attacks don't target production — they exploit the build. This session unpacks how and where malware slips into builds, with a look at recent real-world attacks and what could've stopped them.

We'll show how Chainguard Libraries, by building from source with full provenance, blocked ~99.7% of known malicious npm packages in testing. Learn how build-time protection changes the game, and walk away with practical strategies to get started with Chainguard Libraries.

Third-Party Image Management at Scale

With Abdullah Munawar, Director, Product Security at Appian

Third-party images are fundamental to cloud infrastructure, playing a critical role in various functions across the industry. However, organizations frequently struggle to maintain security and compliance for these images, particularly when operating at scale. In this session, we'll delve into these challenges and explore a range of potential solutions.

Attendees will leave with a clearer picture of the problem and diverse strategies for securing third-party components in large-scale environments.

This Shit is Hard: Inside the Chainguard's Agentic Factory

With Dustin Kirkland, SVP, Engineering at Chainguard

Behind every “secure by default” release is a whole system of engineering, automation, and trust mechanisms — and making all that reliable at scale is seriously challenging. In this session, we'll pull back the curtain on Chainguard Factory 2.0: how we've evolved our build pipelines, verification layers, and operational controls to bring trust guarantees into daily software delivery.

You'll hear about our toughest lessons, architectural changes, and trade-offs (including real failures). If you're building or scaling a secure infrastructure or build system, this is your chance to see what happens when the rubber meets the road — and walk away with practical inspiration (and war stories) you can adapt.

This Shit is Hard: Build Isolation for SLSA 3

With Mark Manning, Principal Product Security Engineer at Chainguard

Getting to SLSA Build Level 3 sounds great on paper, but in practice, the hardest problems arise within the build system itself — where isolation, trust boundaries, and automation collide with real-world CI/CD constraints. In this session, we'll share firsthand experiences pushing builds toward SLSA 3, from discovering why “containerized” isn't truly isolated, to redesigning build environments and separating signing and provenance from the build process. We'll dig into build isolation, provenance generation, and the operational telemetry that reveals where theory breaks down in modern pipelines. Expect a candid look at what actually works (and what definitely doesn't), along with practical guidance for using SLSA to clearly explain how your build system mitigates supply chain threats for your organization.

Breaking the Release Monolith: How Outsystems Built a Platform Engineering Solution that Reduced Lead Time by 10x

With Maria Chec (Principal Technical Program Manager, OutSystems) and João Brandão (Director of Engineering, OutSystems)

At OutSystems, releasing software once felt like pulling teeth. Teams were stuck in a slow, monolithic release process with week-long lead times, fragile pipelines, and growing developer frustration. To change this, the team built Pegasus — a continuous delivery platform that combines team autonomy with strong guardrails.

With Pegasus, teams now deploy independently, securely, and in under 24 hours, achieving Elite DORA performance. This session explores how to transform delivery at scale, the mindset shifts that make it possible, and the metrics that prove success in both productivity and reliability.

Dispelling the Myths of Advisory Feeds

With Patrick Smyth (Principal Developer Relations Engineer, Chainguard) and Gus Evangelakos (VP of Global Sales Engineering, Orca)

Advisory feeds are the ultimate source of truth, right? In this lightning talk, Orca and Chainguard pull back the curtain on how advisory data is actually produced, aggregated, and consumed by scanners and platforms. We'll dig into a few pervasive myths: that missing advisories imply safety, that pristine zero CVE dashboards always reflect reality, and that scanner disagreements are proof a tool is broken.