Chainguard vs. Docker Hardened Images

Yes. Custom Assembly lets you add packages and certificates to any image (30,000+ packages available). Custom-assembled images remain under Chainguard's CVE remediation SLA when using packages from entitled images (Wolfi OSS packages not backed by a paid image are not SLA-covered, and the FIPS Commitment does not apply to custom-assembled images).

Yes. The contractual SLA guarantees critical CVEs within 7 days and high/medium/low within 14 days. Here is Chainguard's average remediation time in practice, broken down by CVE severity (based on The State of Trusted Open Source: December 2025):

• Critical CVEs: Average under 20 hours (63.5% within 24 hours, 97.6% within 2 days, 100% within 3 days)

• High CVEs: 2.05 days average

• Medium CVEs: 2.5 days average

• Low CVEs: 3.05 days average

Chainguard holds its own CMVP certificates for the Chainguard FIPS Provider for OpenSSL. The implementation is kernel-independent and containers run in FIPS mode without requiring a FIPS-enabled host OS. Docker's FIPS variants require the Enterprise tier and use a third-party CMVP (OpenSSL), which may require additional due diligence to verify rebrand compliance during audits.

Chainguard Libraries provides malware-resistant rebuilds of Python, Java, and JavaScript packages that are built from source with signed SBOMs and SLSA L2 provenance. Libraries plug directly into PyPI, npm, and Maven with zero workflow changes. Chainguard also offers first-party Helm Charts and VM images for secure container hosts.

Chainguard compiles every package directly from source code on Chainguard OS rather than repackaging pre-compiled binaries from Debian or Alpine. This eliminates the risk of supply chain attacks injected into distributed binaries (e.g., the 2024 xz-utils backdoor) and gives Chainguard full control over patching timelines independent of upstream distro release cycles.

Every image is rebuilt nightly. When a new vulnerability is disclosed, the automated build system rebuilds affected packages from source and triggers cascade rebuilds of all dependent images. Because Chainguard controls its own OS and build pipeline, it can patch vulnerabilities independently of any upstream distro.

Both vendors provide SBOMs, Sigstore signatures, and SLSA Build Level 3 provenance attestations. Chainguard builds every package from source on its own OS (Wolfi/Chainguard OS). Docker Hardened Images builds some packages from source while incorporating others from prebuilt archives, resulting in inconsistent build definitions that limit full supply chain transparency.