Everything we announced during AI Readiness Innovation Week

The AI coding era has done something the security industry wasn't ready for: it collapsed the distance between writing code and shipping it. Engineers are directing agents to build, test, and deploy faster than any manual workflow could sustain. That's genuinely exciting, and it's also why the software supply chain has never been more consequential. Every artifact an agent reaches for, every GitHub Action it runs, every dependency it pins is a trust decision made at machine speed, with no human in the loop.

Innovation Week: AI Readiness is our answer to that moment. This week, Chainguard shipped advances across every layer of the supply chain: containers, libraries, CI/CD pipelines, AI agent skills, IDE integrations, partnership expansion, and a new industry coalition. Each announcement addresses a specific part of the problem. Together, they're what building safely with AI looks like in practice.

Here's everything we announced.

Athena: coordinated defense for AI-discovered vulnerabilities

The industry's vulnerability disclosure model was built for a world where finding a serious flaw in a critical open source project took weeks. Frontier AI models have collapsed that timeline to hours. When a model identifies a critical vulnerability in a foundational component like OpenSSL or glibc, the window between discovery and exploitation may not be long enough for the traditional coordinated disclosure process to work.

Fragmentation is the default bad outcome. A model finds a flaw, reports it to one vendor, and the rest of the ecosystem (including the upstream maintainers who need to ship the fix) has no idea it's coming. Attackers, meanwhile, aren't waiting.

Athena is Chainguard's answer: an industry coalition for the orchestrated defense of open source software from AI-discovered vulnerabilities. Members pool vulnerability findings through Athena's full lifecycle, covering clearinghouse functions, pre-embargo remediation, continuous reconciliation, platform and network mitigations, vendor detections, and upstream disclosure or hard forks when needed. Critically, members gain access to private hardened builds through Chainguard Libraries before a vulnerability is publicly disclosed, so they're not scrambling on day zero. Athena accepts findings from frontier models, including Anthropic's Project Glasswing and OpenAI's Daybreak.

Chainguard hopes to work with the Linux Foundation on a coordinated Security Incident Response Team and a maintainer-of-last-resort program that keeps critical projects supported even when upstream teams can't move fast enough. If you're working at a frontier lab or a major enterprise in a regulated industry,we want to hear from you.

Gartner named Chainguard a Leader in its inaugural Magic Quadrant for Software Supply Chain Security

Also this week, Gartner published its first-ever Magic Quadrant for Software Supply Chain Security and named Chainguard a Leader, positioned furthest right for Completeness of Vision among all vendors evaluated (download a copy here).

The report's existence matters as much as our placement. We believe that Gartner's decision to create a dedicated Magic Quadrant for this space formally establishes software supply chain security as a board-level buying decision. The reactive scan-and-patch model that has defined the last decade isn't what enterprises are buying toward anymore. They're buying toward prevention, toward a secure-by-default foundation, and that's exactly what Chainguard has been building since day one.

Chainguard Actions is now in open beta

GitHub Actions are highly privileged. They touch source code, cloud credentials, tokens, and release infrastructure. And the attacks targeting them have gotten worse: the tj-actions compromise hit 23,000 repositories, the Trivy supply chain attack pulled credential-stealing malware from tags engineers already trusted, and the Mini Shai-Hulud campaign used Actions release workflows to publish poisoned packages. Because attackers are now using AI to target every layer of the software development lifecycle, the pipelines your code flows through need the same level of hardening as the artifacts they contain.

Chainguard Actions is now in open beta, giving teams self-serve access to the largest catalog of hardened, verified GitHub Actions, with more than 500 available from day one directly through GitHub. Each Action has been run through a multi-layer hardening pipeline combining rule-based analysis with AI-augmented review. When findings are detected, the Action's YAML is rewritten to remove script injection risks, insecure environment variable handling, and unsafe command interpolation. Coverage keeps up: if an Action isn't in the catalog yet, file a GitHub Issue, and Chainguard will harden and ship it within one business day.

The new Chainguard Actions migration skill handles the inventory and swap automatically. Point it at a repo or org, and it generates a report of every Action in use, including versions, workflow counts, and exposure surface. From there, it creates a pull request to replace eligible Actions with hardened equivalents and files requests for anything not yet in the catalog. Whether you're securing one repo or an entire organization, the skill does the heavy lifting.

Get started with a 30-day free trial by downloading the migration skill, or read the documentation.

Chainguard Libraries for Java is now generally available with CVE remediation

The best way to tee this up is with an example: Spring Boot 2.7 reached end of life in November 2023 and carries 143 CVEs across 79 projects, none of them patched. At the same time, the mean time to exploit has dropped to -7 days, indicating that active exploitation is often underway before a patch is available. Spring received 482 new security reports in April 2026 alone. The math doesn't work for teams trying to triage their way out of this.

Chainguard Libraries for Java is now generally available and includes CVE remediation, starting with critical and high-severity CVEs across the Spring Boot ecosystem. Chainguard backports fixes and rebuilds the entire package from source, producing a new versioned artifact with a -0.cgr.N suffix. Scanners and auditors see a clean, versioned artifact rather than a patch layered on top of a vulnerable package. The Supply-chain Levels for Software Artifacts (SLSA) provenance chain links the patch, the build, and the artifact, providing auditors with cryptographic proof that the fix was applied. Wiz, AWS Inspector, Grype, and Trivy all recognize Chainguard's remediated Java libraries, with more scanners coming.

For teams stuck between security exceptions, manual backports, and disruptive major-version upgrades, this is a fourth option. Swap in the remediated version, stay safe while you plan the upgrade on your schedule, and pull malware-free libraries from the same endpoint.

Chainguard Repository adds policies for Java, Python, and container artifacts, Chainguard Libraries for JavaScript now GA

Malware campaigns targeting open source registries aren't slowing down. Since the start of the year, Chainguard has tracked compromises hitting npm, PyPI, and container registries week after week. Faster scanning at the end of the pipeline isn't the defense — controlling what enters the environment in the first place is.

Three new capabilities are now available in Chainguard Repository. First, Chainguard's malware and greyware scanner, previously covering JavaScript only, now applies to Python packages, Java packages, and container images. The scanner catches not just traditional malware but greyware: packages that do exactly what they claim to do, except that what they do includes harvesting credentials or exfiltrating data to third-party servers. Chainguard's scanner identifies and blocks more than 70 greyware projects every week.

Second, the policy engine has expanded to cover container images, Python, and Java. For Chainguard Containers, teams can now block end-of-life images, restrict pulls to long-term support versions, and set cooldowns between when a new version publishes and when it's eligible to be pulled. For Chainguard Libraries, custom blocking lets teams prevent specific projects or versions that don't meet organizational standards. Upstream fallback, with scanning and cooldown, is now available for Java and Python, matching what's been available for JavaScript. Overrides are available across the board when teams need to make a deliberate exception.

Third, teams can now preview a policy's impact on current artifact consumption before activating it. Once active, the Repository surfaces which artifacts were blocked, which policies triggered the block, and when each triggered. That data makes it possible to identify patterns and refine policies without flying blind.

We’re also announcing that Chainguard Libraries for JavaScript is now generally available. This brings all three of our library ecosystems to GA.

Wiz now scans Chainguard Libraries for Python and Java

Security teams using Wiz can now extend their existing workflows to Chainguard Libraries for Python and Java. The expanded partnership connects Chainguard's source-built, malware-free library catalog to the Wiz Security Graph, so teams get a clearer view of their actual risk rather than a feed of findings from packages that never entered their environment.

The difference is in how remediation is delivered. When Chainguard backports a CVE fix, the entire package is rebuilt from source, with the patch, the build, and the resulting artifact all linked through SLSA provenance. An auditor reviewing the artifact receives cryptographic proof that the fix was applied, not a patch file sitting atop a vulnerable package with no chain of evidence. Wiz surfaces findings that require action; Chainguard eliminates the noise before it gets there.

Securing the AI coding ecosystem: Cursor and Kiro

Every time an AI agent generates a Dockerfile, pulls a dependency, or assembles a new project, it's making a trust decision at machine speed. Public registries weren't designed for that threat model, and attackers are actively exploiting it. Asking engineers to audit every artifact their agent reaches for isn't the answer — making the secure path the path of least resistance is.

Chainguard is now available natively in the Cursor Marketplace. Install it in two minutes (search for Chainguard, add it to Cursor, connect the MCP servers, authenticate), and your agent starts pulling from Chainguard Repository: more than 2,500 hardened container images and millions of malware-free library versions across Python, Java, and JavaScript. No workflow disruption, no migration overhead. Cursor agents that previously defaulted to Docker Hub, PyPI, or npm now have a trusted alternative as the default.

Chainguard is also partnering with Kiro, AWS's agentic IDE built around production-ready software. The Chainguard Power plugin for Kiro lets teams point at a repo and ask it to harden things. Kiro reliably replaces public-registry base images and language packages with Chainguard Containers and Libraries rather than guessing each time. The combination of Kiro's spec-driven approach and Chainguard's secure-by-default artifacts means agents can move fast on a foundation that holds up in production.

The AI coding ecosystem is bigger than any two tools. Chainguard is actively expanding its presence across more platforms.

Chainguard Containers: secure by default, wherever you build

Several Chainguard Containers updates shipped this week, each targeting a specific barrier to enterprise adoption.

RHEL 9 and RHEL 10 RPM support (preview). For enterprise teams in financial services, government, and regulated industries, the RPM gap has been the real blocker to adopting Chainguard. Business applications distributed in RHEL's package format depend on an RPM database, and Chainguard OS tracks packages with APK. Chainguard built a metadata bridge that reads what APK knows about installed packages and translates those capabilities into RPM equivalents, including soname references, package-name capabilities, and versioned symbol sets, seeding the RPM database so rpm -i works normally. The underlying packages remain Chainguard's, built from source continuously with full provenance. Where Chainguard OS's ABI surface matches RHEL's, it works as a drop-in. Where it genuinely diverges, the system fails at install time rather than silently at runtime. Sign up for the preview here.

-full tags (now generally available for 10 images). Migrating to Chainguard can hit a wall when existing pipelines depend on packages, entrypoints, or configurations that minimal images intentionally omit. The -full tag variant mirrors the upstream Docker Hub equivalent exactly, with the same packages, entrypoint, environment variables, and user and group configuration, so teams can swap in Chainguard without touching their pipelines. The image is still built on Chainguard OS, still rebuilt continuously, and still covered by Chainguard's CVE remediation SLA. Available for python, node, nginx, go, redis, jdk, grafana, jre, prometheus, and postgres. The -full tag is an onboarding accelerant, not a destination.

Go Geomys Federal Information Processing Standards (FIPS) image (now GA). Upstream Go's native FIPS 140-3 module, developed in partnership with Geomys, has completed CMVP validation (CMVP #5247). The go-geomys-fips image defaults to and hardens the validated module, making it impossible to compile binaries without FIPS crypto and blocking disallowed algorithms, including DES, RC4, DSA, and SHA-1. It uses a kernel-independent entropy source (CMVP ESV #E318), includes a go-fips-test tool to verify binaries use a FIPS-validated cryptographic module, and is appropriate for use inside FedRAMP boundaries. The existing OpenSSL-based go-fips image remains supported.

Custom Assembly APK mirror support (private beta). Organizations whose security policies prohibit production workloads from reaching external endpoints at runtime can now specify custom APK repository URLs in their Custom Assembly configuration. Customer-supplied URLs are written into /etc/apk/repositories in the final image; build-time resolution still uses Chainguard's curated repositories. Reach out to your account manager to join the private beta.

Custom Certificates for Custom Assembly (now GA). Add PEM-encoded internal Custom Assembly certificates via chainctl. Chainguard validates them, rejects private keys, appends them to the system trust bundle and Java truststores at build time, and includes them in the image's provenance attestation. For teams that have been rebuilding Chainguard Containers solely to inject certificates, that rebuild step is gone.

Dependabot now works with private cgr.dev registries. Chainguard resolved all registry-side compatibility issues that previously blocked Dependabot from authenticating against private cgr.dev registries. The registry now returns the proper Bearer token challenge, and tag pagination returns a well-formed empty array on the final page. Dependabot can now automatically enumerate tags and open pull requests to bump Docker image tags from cgr.dev, with no custom tooling required.

Flattened CycloneDX SBOMs. All Chainguard Containers now ship an improved CycloneDX SBOM format: a flat component list with dependencies declared in the relationships section, broadening compatibility with enterprise compliance tooling, including Mend SCA. Available directly from the Console or via chainctl, with no new flags or tooling required.

Explore the full Chainguard Containers catalog or talk to our team about running Chainguard in your environment.

The full picture

From the artifacts your agents pull to the pipelines they run through to the coalition organizing the defense of the open source ecosystem underneath it all, Innovation Week: AI Readiness covers the breadth of the problem: hardened containers and libraries as the foundation, CI/CD pipeline security for everything code flows through, IDE integrations that make the secure path the easy path, expanded scanner partnerships for verifiable remediation, and Athena as the coordinated defense layer for what frontier models are about to find.

Get all the details about our AI Readiness Innovation Week announcements.