Assemble 2026: Opening Keynote

With Dan Lorenc, CEO & Co-Founder of Chainguard

In the opening keynote of Chainguard Assemble 2026, we announced Chainguard OS Packages, Chainguard Catalog Starter, Chainguard Commercial Builds, Chainguard Repository, Chainguard Actions, Chainguard Agent Skills, and the Guardener. Chainguard CEO and Co-Founder Dan Lorenc is joined by several guests from organizations such as OpenAI, GitLab, and MRI Technologies to discuss how software development is changing in 2026 with the acceleration of AI, and how organizations are adapting.

AI in the SDLC Panel: Friend, Foe, or Both?

With Trey Caliva (Staff Platform Engineer, Abridge AI), Dwayne McDaniel (Senior Developer Advocate, GitGuardian), Jon Ceanfaglione (Chief Architect, DevSecOps and IT Automation Practice, IBM Federal), and Emilia David (Writer, VentureBeat)

AI is transforming the software development lifecycle: accelerating delivery while introducing new risks. In this session, we'll examine where AI adds value, where it creates vulnerabilities, and how to set guardrails that balance speed with security. You'll leave with a practical framework to decide when to embrace AI, when to be cautious, and how to prepare for what's next.

Cracking the Compliance Code: Building Trust for Government-Grade Cloud Security

With Vijaya Ganesh Varadaraja Muthukumar (Director of Product Engineering, Platform, Iron Mountain), Matt Conner (CISO, Second Front), Rob Gil (Sr. Director, Federal Architecture, Okta), Katie Norton (IDC Analyst), and Quincy Castro (CISO, Chainguard)

FedRAMP is the benchmark for cloud security in the federal space, but achieving it is complex and resource-intensive. This session breaks down the new compliance requirements, why it matters beyond government contracts, and how to integrate best practices into everyday workflows.

Product Deep Dive: Chainguard Libraries

With Angela Zhang (Senior Product Manager, Chainguard), Ross Gordon (Staff Product Marketing Manager, Chainguard), Bria Giordano (Director, Product Management, Chainguard) and Dan Ryan (Engineering Manager, Chainguard)

Chainguard Libraries are drop-in, malware-resistant replacements for your Python, Java, and JavaScript dependencies. In this session, we'll explore how we close the "integrity gap"—the risk that allowed the Shai-Hulud worm and the hijack of Chalk and Debug to bypass traditional security tools. You'll see what's next on the roadmap, learn how these libraries integrate into your existing builds, get a sneak peek into the Chainguard Factory, and discover how to eliminate the constant fire drills and manual triage that exhaust your engineering teams.

Product Deep Dive: Chainguard Containers

With Billy Lynch (Staff Software Engineer, Chainguard) and Sam Katzen (Director, Product Marketing, Chainguard)

Chainguard Containers deliver secure, minimal, and continuously maintained container images designed to eliminate vulnerabilities and reduce supply chain risk. In this session, we’ll explore the Chainguard Containers roadmap — what's new, what's next, and how upcoming features will make it even easier to maintain compliance and security at scale. You'll see how Chainguard Containers integrate into existing workflows, improve developer productivity, and provide a stronger foundation for running software in production.

Building the Business Case for Trusted Open Source

With Ed Sawma (VP, Product Marketing, Chainguard) and Adeel Saeed (SVP, CTO, Kyndryl)

Open source is the engine of innovation, but when vulnerabilities slip in, they also become a hidden cost center. You'll walk away with the data and narrative you need to build executive-level support for secure, trusted open source programs that are a strategic growth lever.

Securing the Next Moon Age: Automated Compliance Powers the Next Giant Leap

With Collin Estes, Technical Director - NASA's Mission Enabling Services Contract at MRI Technologies

NASA's Artemis and Habitable Worlds Observatory missions demand a secure, continuously compliant software foundation for next-generation AI, simulation, and HPC workloads. Partnering with Chainguard, MRI Technologies solved one of the toughest challenges in DevSecOps — continuous ATO — by securing the software supply chain from source to runtime. Using a GitOps-driven approach and lightweight Kubernetes Operators for continuous patching, CVE mitigation, and compliance reporting, MRI now operates with trusted, secure-by-default software that powers Project Luna, NASA's new cloud-native ecosystem for mission-critical innovation.

Attacks Rewritten: Where Malware Enters the Build

With Manfred Moser (Sr. Principal Developer Relations Engineer, Chainguard) and Patrick Smyth (Principal Developer Relations Engineer, Chainguard)

Most supply chain attacks don't target production — they exploit the build. This session unpacks how and where malware slips into builds, with a look at recent real-world attacks and what could've stopped them.

We'll show how Chainguard Libraries, by building from source with full provenance, blocked ~99.7% of known malicious npm packages in testing. Learn how build-time protection changes the game, and walk away with practical strategies to get started with Chainguard Libraries.

Third-Party Image Management at Scale

With Abdullah Munawar, Director, Product Security at Appian

Third-party images are fundamental to cloud infrastructure, playing a critical role in various functions across the industry. However, organizations frequently struggle to maintain security and compliance for these images, particularly when operating at scale. In this session, we'll delve into these challenges and explore a range of potential solutions.

Attendees will leave with a clearer picture of the problem and diverse strategies for securing third-party components in large-scale environments.

Chainguard FIPS: Past, Present, and Future

With John Slack (Senior Product Manager, Chainguard) and Dimitri John Ledkov (Principal Software Engineer, Chainguard)

FIPS compliance has long been a challenge for regulated organizations. This session explains how Chainguard simplifies FIPS adoption and introduces the Chainguard FIPS Provider for OpenSSL 3.4 — the first FIPS-validated OpenSSL 3.4 module. With zero known CVEs, a commitment to resubmit for any in-boundary vulnerability, and 2030-ready cryptography, it brings compliance and security together in a continuous, audit-ready model.

Getting Started with Chainguard Containers

With Rob Best, Senior Solutions Architect at Chainguard

New to Chainguard? This session breaks down what makes Chainguard Containers different from upstream images and how to use them effectively. We'll walk through building containers (including multi-stage builds and a few advanced techniques), key migration differences, and important changes to permissions, tags, and entry points.

You'll also learn practical approaches to dependency hygiene and automating updates so you can modernize builds, reduce risk, and ship faster with Chainguard.

This Shit is Hard: Inside the Chainguard's Agentic Factory

With Dustin Kirkland, SVP, Engineering at Chainguard

Behind every “secure by default” release is a whole system of engineering, automation, and trust mechanisms — and making all that reliable at scale is seriously challenging. In this session, we'll pull back the curtain on Chainguard Factory 2.0: how we've evolved our build pipelines, verification layers, and operational controls to bring trust guarantees into daily software delivery.

You'll hear about our toughest lessons, architectural changes, and trade-offs (including real failures). If you're building or scaling a secure infrastructure or build system, this is your chance to see what happens when the rubber meets the road — and walk away with practical inspiration (and war stories) you can adapt.

This Shit is Hard: Build Isolation for SLSA 3

With Mark Manning, Principal Product Security Engineer at Chainguard

Getting to SLSA Build Level 3 sounds great on paper, but in practice, the hardest problems arise within the build system itself — where isolation, trust boundaries, and automation collide with real-world CI/CD constraints. In this session, we'll share firsthand experiences pushing builds toward SLSA 3, from discovering why “containerized” isn't truly isolated, to redesigning build environments and separating signing and provenance from the build process. We'll dig into build isolation, provenance generation, and the operational telemetry that reveals where theory breaks down in modern pipelines. Expect a candid look at what actually works (and what definitely doesn't), along with practical guidance for using SLSA to clearly explain how your build system mitigates supply chain threats for your organization.

Developer Productivity Without Compromise

With Brandon Heard, Technical Leader, Cloud and Infrastructure at PeopleTec

Security shouldn't slow engineers down. In this session, we'll share how platform and engineering teams use Chainguard to improve productivity by removing friction from the software supply chain. You'll walk away with proven strategies to drive adoption, from winning over early adopters to creating low-friction onboarding and feedback loops. Learn how leading organizations are balancing developer autonomy with enterprise consistency and the practical steps to accelerate adoption and achieve standardization without slowing innovation.

Breaking the Release Monolith: How Outsystems Built a Platform Engineering Solution that Reduced Lead Time by 10x

With Maria Chec (Principal Technical Program Manager, OutSystems) and João Brandão (Director of Engineering, OutSystems)

At OutSystems, releasing software once felt like pulling teeth. Teams were stuck in a slow, monolithic release process with week-long lead times, fragile pipelines, and growing developer frustration. To change this, the team built Pegasus — a continuous delivery platform that combines team autonomy with strong guardrails.

With Pegasus, teams now deploy independently, securely, and in under 24 hours, achieving Elite DORA performance. This session explores how to transform delivery at scale, the mindset shifts that make it possible, and the metrics that prove success in both productivity and reliability.

Dispelling the Myths of Advisory Feeds

With Patrick Smyth (Principal Developer Relations Engineer, Chainguard) and Gus Evangelakos (VP of Global Sales Engineering, Orca)

Advisory feeds are the ultimate source of truth, right? In this lightning talk, Orca and Chainguard pull back the curtain on how advisory data is actually produced, aggregated, and consumed by scanners and platforms. We'll dig into a few pervasive myths: that missing advisories imply safety, that pristine zero CVE dashboards always reflect reality, and that scanner disagreements are proof a tool is broken.