Adapting Essential Eight for modern cloud environments using Chainguard
If software was eating the world in 2011, containerization has become the takeout box of choice in 2025. In 2024, a whopping 91% of organizations reported using containers for most or all of their production applications, with this shift to modern software development coinciding with a heavy reliance on open source artifacts, continuous integration, and automated deployment pipelines.
Unfortunately, this evolution unnecessarily expands the attack surface, particularly through the inclusion of unnecessary and unvetted modules in the software supply chain.
With the growth of open source software (OSS) and containerized environments, the need for a security framework that can handle modern application development pipelines has never been more critical, and regulatory frameworks are adapting to catch up.
How Essential Eight factors in
Essential Eight, initially developed by the Australian Cyber Security Centre (ACSC), is a required framework for securing government IT environments. As the name implies, the framework defines eight (8) essential strategies to mitigate cybersecurity risks, which were designed to protect systems from common cyber threats, including malware, ransomware, and phishing.
The near ubiquity of cloud-native infrastructure necessitates adapting the often very Windows-oriented controls referenced in Essential Eight to the DevOps world. However, as organizations grapple with maintaining compliance in modern, cloud-native environments, it’s critical to minimize the engineering friction often associated with security.
The developer productivity challenge
A persistent pain point in modern DevOps and DevSecOps is the often negative impact of security issues on developer productivity. That conflict between security needs and developer productivity often revolves around pausing feature development in favor of:
Patching vulnerabilities
Auditing open source software (OSS) packages
Hardening and building images to create smaller attack surfaces
These demands create friction that slows innovation and diverts engineering time away from delivering business value. A Chainguard survey found that 74% of developers feel that security tools hinder productivity, and 77% feel that prioritizing software supply chain issues can lead to tension between the teams.
Chainguard addresses these challenges by offloading the OSS-related security tasks from the development team. Chainguard allows developers to build secure applications without the overhead. For example:
CVE patching: Chainguard rebuilds container images and libraries daily from source, fixing CVEs every day. Developers no longer spend hours remediating vulnerabilities discovered by the security team.
Signed SBOMs and supply chain attestation: Developers can confidently use OSS artifacts knowing every package is verified and auditable, reducing the need for manual checks.
Minimal, distroless images: By eliminating unnecessary packages and shells, Chainguard reduces the attack surface while keeping container images lean, so developers don’t have to juggle security configurations.
By integrating security into CI/CD pipelines, Chainguard reduces the load on developers, ensures that security doesn’t become a bottleneck, and ensures development velocity.
Applying Essential Eight to cloud-native infrastructure with Chainguard
Below are the Essential Eight strategies along with some specific implementations of Chainguard that apply to those strategies:
E8 Control | Chainguard Impact |
Application Control | Chainguard removes unnecessary packages and shell environments from the OS, containers, and libraries, so there are no unknown apps available. Chainguard artifacts do not run as “root” Chainguard access configurations are set to “deny-all” and default passwords must be changed |
Patch Applications | Chainguard products are rebuilt every day from source Chainguard addresses CVEs daily and has a committed SLA to patch critical vulnerabilities within 7 days Continuous monitoring dashboards expose posture in real time |
Configure Microsoft Office Macros | As Chainguard Containers offers Linux-based artifacts, Microsoft Office Macros are not included; however, Chainguard production artifacts are minimal, designed not to contain any unnecessary modules or code |
User Application Hardening | Chainguard compiles with enhanced compiler flags to address memory safety issues, making applications built and deployed with Chainguard much more secure Chainguard signs all container images and SBOMs to ensure supply chain security and image authenticity Chainguard integrates with CI/CD tooling and offers a standardised, secure source for open source artifacts, limiting introduction of unattested items Chainguard audit trails and update cadences can provide visibility into developer build and deployment cycles |
Restrict Administrative Privileges | Chainguard has default least-privilege principles built in VMs and container images, meaning containers do not run as “root,” are configured to “deny-all,” and user accounts and privileges must be explicitly assigned Chainguard artifacts are all attested with cryptographic signatures |
Patch Operating Systems | Chainguard products are rebuilt every day from source Chainguard addresses CVEs daily Chainguard artifacts are purpose-built, eliminating unnecessary packages and vulnerability surface area |
Multi-Factor Authentication | Organizations leveraging Chainguard container images in production inherit the MFA policy enforcement of the container orchestration platform in use The Chainguard platform itself supports Single Sign-on (SSO) authentication for users. By default, users can log in with GitHub, GitLab, and Google, but SSO support allows users to bring their own identity provider for authentication |
Regular Backups | Chainguard artifacts are stored and versioned in the Chainguard repository, with full provenance and immutability enabling Chainguard container images to be completely rebuilt with no regression from the original. Chainguard provides a Software Bill of Materials (SBOM), so you know exactly what is included and what you need to back up |
Using Chainguard to implement Essential Eight principles transforms security from myopic, reactive CVE remediation, SBOM curation, and audit intelligence gathering into a proactive approach where both development and security teams have clear visibility into the state of their application infrastructure and compliance itself becomes an integral element of software development.
With continuous updates to eliminate CVEs, signed SBOMs that attest the correct, secure modules are in use, and the integrations in CI/CD pipelines, organizations benefit from:
Reduced Risk due to smaller attack surfaces and faster CVE remediation.
Enhanced Compliance: Real-time visibility and auditable evidence for regulators.
Increased Developer Velocity: Engineers spend less time on triage and remediation of vulnerabilities and more time on business-critical development.
Chainguard operationalizes the Essential Eight principles through continuous monitoring, automated CVE management, and supply chain attestation, giving organizations the ability to secure modern infrastructure and increase developer productivity.
In today's environment of rising OSS attacks and regulatory scrutiny, leveraging trusted open source like Chainguard for continuous assurance is critical for reducing risk, meeting compliance obligations, and enabling teams to innovate efficiently. If this is you, reach out to our team to learn more about how we can help.
Share this article
Related articles
- security
Chainguard FIPS enters 2026 with OpenSSL 3.1.2 and better CMVP visibility
Dimitri John Ledkov, Senior Principal Software Engineer, Chris Herborth, Staff Software Engineer, and John Slack, Senior Product Manager
- security
Why startups need to be secure-by-default
Dan Lorenc, CEO and Co-Founder
- security
Get up to Speed on FedRAMP 20x
Aaditya Jain, Senior Product Marketing Manager
- security
Three Ways to Make Your SDLC Secure-by-Default
Sam Katzen, Staff Product Marketing Manager
- security
Simplify Continuous Compliance: How to Stay Audit-Ready and Ship Software Faster
Matt Stead, Marketing
- security
Meeting the Zero-CVE Mandate: How Chainguard Helps Businesses Ship Secure Software That Customers Trust
Sam Katzen, Staff Product Marketing Manager