Building the secure-by-default future of open source
Chainguard builds and maintains an open toolchain for secure software delivery, contributes upstream fixes, and leads critical projects across the cloud-native ecosystem. We contribute back because it's the right thing to do—not to keep score, but to make the entire ecosystem more secure for everyone.
100+
Projects actively maintained and contributed to.
18+
Leadership positions across critical OSS foundations.
Automated
Bots monitoring upstream for new security releases.
Upstream-First
Fixes before scanners detect vulnerabilities.
OUR OPEN SOURCE TOOLS
The tools we build and maintain
Essential infrastructure for secure-by-default software delivery.
Wolfi
A community Linux (un)distribution designed for containers and cloud-native workloads. Built with security as a first-class concern, providing full provenance and SBOM support from the ground up.
Octo-STS
OIDC token exchange for GitHub Actions enabling secure, keyless authentication for CI/CD workflows. Bridges the gap between GitHub Actions and external identity providers.
gitsign
Makes it effortless to sign commits and tags in CI environments. Leveraging Sigstore's keyless signing, it brings cryptographic verification to your Git history without key management burden.
digestabot
Keeps image digests current through automated PRs. Prevents supply chain attacks by ensuring deployments reference verified image versions.
dfc (Dockerfile Converter)
Helps teams transition from traditional Dockerfiles to declarative, reproducible apko and melange configurations. This migration helper accelerates the path to more secure, maintainable container builds.
Terraform Provider
Build, sign, attest, test, and publish container images entirely as infrastructure code. No manual steps, no drift, just reproducible builds.
Bazel rules_apko
Bazel rules for hermetic image builds with locked dependencies. Integrates secure container creation seamlessly into Bazel workflows.
apko
Declarative OCI image builder that produces minimal, reproducible container images with attestations and SBOMs. Eliminates the complexity of traditional Dockerfile builds.
melange
Declarative APK packaging system with multi-architecture support, built-in linters, and signing capabilities. Powers modern secure software distribution from source to package.
COMMUNITY CONTRIBUTIONS
Open source projects we contribute to
Chainguard team members create, maintain, and lead some of the most widely-used open source projects.
Kubernetes
Sigstore
SLSA
Tekton
Knative
Cosign
Rekor
gitsign
Wolfi
Trino
FOUNDATION MEMBERSHIPS
Active participation across the ecosystem
We support and participate in the organizations shaping the future of open source.
Linux Foundation
CNCF
OpenSSF
OCI
Continuous Delivery Foundation
HOW WE CONTRIBUTE
Upstream-first philosophy
We don't just build on open source—we improve it for everyone
Upstream-first approach
We routinely upstream bug fixes and features across the entire stack—from kernel-level hardening to application security. No long-lived downstream patches, just contributions that benefit the entire ecosystem. We're a top 100 contributor to CNCF projects.
Originating security fixes
When upstream lags, we step up. We've authored and upstreamed patches for criticalCVEs in BusyBox, LangChain, and other essential components, ensuring the entire ecosystem benefits from our security research.
Advisory feeds & scanner integrations
We publish vulnerability advisories in OSV and secdb formats, running scheduled pipelines to keep security scanners across the ecosystem accurate and current.
REAL-WORLD IMPACT
CVE remediation in action
Examples of how we fix vulnerabilities upstream, not just downstream
BusyBox CVE patches
When long-standing BusyBox CVEs remained unpatched upstream, Chainguard engineers created and submitted patches to the BusyBox maintainers. We fixed CVE-2025-46394 and CVE-2024-58251, contributing the solutions back so all Linux distributions could benefit—not just our own users.
Rapid response
When vulnerabilities are discovered, we don't just patch our own images. Wecontribute fixes upstream so the entire open source community benefits. Ourengineers regularly submit patches, pull requests, and security advisories toupstream projects.
Ecosystem-wide benefits
Our upstream contributions mean that Alpine Linux, Debian, Ubuntu, and otherdistributions can integrate our security fixes. We believe in strengthening the entireecosystem, not just building walls around our own products.
AUTOMATED SECURITY
Fixing vulnerabilities before they're detected
Our automated rebuild system delivers security fixes faster than traditional vulnerability scanning
Automated upstream monitoring
Our bots continuously monitor upstream projects for new releases. When security patches drop, our system automatically opens pull requests to rebuild packages—no waiting for CVE databases to catch up.
Hours, not weeks
When Go released version 1.20.6 fixing CVE-2023-29406, we delivered patched images within days. Traditional scanners couldn't even detect the vulnerability yet—the NVD hadn't published the required data, and most scanners ignore standard library issues.
Cascading rebuilds
A single security patch triggers automatic rebuilds across all affected packages.When we patched Go, all 192 Go-based packages in Wolfi were rebuilt with the fix—including cert-manager, etcd, Kubernetes components, and Terraform.
The result
Eliminate risks from compromised build systems and hijacked package distribution mechanisms to mitigate malware attacks like XZ-Utils, MavenGave, and npm Shai-Hulud.
SUSTAINABLE STEWARDSHIP
Chainguard EmeritOSS
Safe, predictable maintenance for mature open source projects that have reached stability.
Kaniko
When Google archived Kaniko in 2025, we stepped in to provide maintenance-only support. We deliver CVE fixes, dependency updates, and maintained images to keep customer workloads running safely during their migration period.
Kubeapps
A beloved tool for deploying and managing applications in Kubernetes clusters. As maintainers reached natural lifecycle transitions, we're ensuring Kubeapps remains secure and operational, giving teams the stability they need during their migration planning.
ingress-nginx
A critical ingress controller embedded in countless Kubernetes deployments. Our stability-focused maintenance gives teams confidence to continue operating securely while evaluating their migration path.
MinIO
Designed for cloud-native and Kubernetes environments, MinIO provides scalable, durable storage for data lakes, backups, artifact storage, and machine learning workloads. With EmeritOSS, we'll continue supporting this high-performance, open source object storage system.
PgCat
PgCat is a PostgreSQL connection pooler and proxy that supports sharding, load balancing, failover, and mirroring. It’s a robust alternative to the classic PgBouncer that we're happy to support.
PushProx
Prometheus PushProx is a clever proxy and client solution that lets Prometheus scrape targets even behind NATs or firewalls, all while retaining the familiar pull-based model. This makes it much easier to monitor environments where direct scraping isn’t possible.
Depend on an unmaintained project?
If your organization relies on an archived or unmaintained open source project, we invite you to submit it for consideration. Our goal is to keep essential software running safely for as long as you need it.