Introducing Chainguard Commercial Builds: Secure-by-default containers for commercial software

Today, we’re introducing Chainguard Commercial Builds: a new partnership program with commercial and open source software providers that enables us to package their software using the same hardened, AI-native Chainguard Factory used across our artifact catalog. Early partners will include Azul, Chainloop, Elastic, Expanso, F5 NGINX, GitLab, Grafana Labs, Mattermost, Nirmata, Percona, Smallstep, and Tiger Data. Commercial Builds brings the same security guarantees to the commercial software sitting alongside the open source artifacts our customers are already deploying.

“As application architectures grow more complex in the AI era, security must be embedded at every layer,” said Liam Crilly, Sr. Director, Product Management, F5 NGINX. “Chainguard enhances our ability to deliver secure, production-ready container images that align with our commitment to protecting modern and traditional applications alike. This partnership helps customers accelerate delivery while ensuring the integrity and security of their software supply chain.”

Chainguard has spent years earning trust as the gold standard for building secure-by-default open source containers and language libraries, but open source is only part of the stack. Commercial software is often delivered either as binaries or built on general-purpose base images that arrive with OS-level vulnerabilities and no SBOM or CVE remediation SLAs. For many Chainguard customers, that makes it challenging to create a standard security posture or policy to apply across their containerized workloads and environments. As the number of commercial applications in a typical enterprise stack grows, so does the inconsistency: different images, different security postures, different remediation timelines, none of it governed by clear SLAs.

For ISVs whose core focus is building great software, standing up and sustaining open source supply chain security infrastructure is a significant undertaking outside of their core differentiation. It demands continuous vulnerability monitoring, rapid remediation, provenance tracking, SBOM generation, and the tooling to do all of it at scale and speed.

The status quo, where ISVs spend valuable time on undifferentiated container packaging and maintenance, or customers bear responsibility for remediation or risk, is no longer sustainable.

A different model for commercial software

Chainguard Commercial Builds officially introduces a different model for packaging commercial software, giving customers coverage across the entire software stack. We work directly with commercial vendors to package and maintain their software in the same SLSA L3, AI-native Chainguard Factory that delivers trusted open source packages, container images, and library builds.

This means we can deliver commercial software with zero CVEs, minimal attack surface, full provenance, SBOMs, signatures, FIPS validation, and behavioral consistency.

For Customers

Rather than maintaining two separate postures, every layer of the stack meets the same standard, built and maintained by Chainguard. And in an era where AI is accelerating both software development and the sophistication of attacks, knowing that every piece of software you run is verified, minimal, and continuously maintained has become paramount.

The benefits include:

• Wall-to-wall secure-by-default coverage across the entire stack 

• Audits get simpler, and compliance timelines shorten

• Commercial applications, now available with the same guarantees as our OSS containers:

  • Minimal, hardened images

  • Full provenance and SBOMs

  • FIPS readiness and regulatory alignment

  • Predictable CVE response and SLAs

For Software Vendors

As customer expectations for supply chain security rise, ISVs can focus on their core differentiators as opposed to packaging, hardening, and maintaining container images, which has become a specialized discipline – one that requires dedicated tooling, continuous management, and deep supply chain expertise.

The benefits include:

• Ship hardened containers without building or maintaining security pipelines

• Meet customer security and compliance expectations out of the box

• Win regulated and security-sensitive deals without turning product teams into container security teams

• Generate a potential new revenue stream through revenue sharing

Chainguard plans to expand the Chainguard Commercial Builds Program globally and is actively inviting additional commercial software vendors to participate. Join here.

Powering more use cases with Chainguard Factory

As the traditional SDLC evolves rapidly in the AI era, the importance of building with a trusted, secure foundation of software artifacts has never been more critical. Chainguard Commercial Builds is one of many use cases enabled by the Chainguard Factory, which continuously rebuilds and hardens everything from container images to agent skills and CI/CD workflows. As engineering and security teams continue to adapt to new workflows and processes, Chainguard is now the AI-native stack for secure-by-default software for their open source and commercial applications.

Get started with Commercial Builds

Commercial Builds are already available in the Chainguard Catalog today. Click here to browse available commercial software.