This Shit is Hard: The life and death of a CVE in the Chainguard Factory

It’s the Monday before Thanksgiving, and a balmy morning in Cary, North Carolina. At 9:54 a.m., Keith Zantow, an engineer at Anchore, pushes a commit. Just under a day later, on November 25 at 9:18 a.m., a GitHub Security Advisory hits the feed.

The machine rumbles to life.

The Machine

Within two hours of the security advisory, the Chainguard Factory has registered that a new patch is available. A fix is queued.

On Wednesday evening, scanners are run against every package in the Factory against this new information. A match is detected: k9s depends on the vulnerable code.

At 6:11 p.m., an issue is created. Immediately, Driftless AF, Chainguard’s agentic framework, spins up. In this context, the agent holds both the current and required states of the code and works to reconcile them. Forty-one seconds later, the agent drops a comment:

It's a confirmed high-severity vulnerability, and the fix is simple: bump Grype from v0.101.1 to v0.104.1.

The issue waits in the queue overnight. It’s now 7 a.m. on Thanksgiving morning. In New York City, the parade day floats are lining up on Fifth Avenue. The pies are out of the oven, and the turkey is waiting its turn to go in.

At 7:20 a.m., Thanksgiving morning, OctoSTS bot opens a pull request. One line is added to k9s.yaml. Twenty-nine CI checks run. Eleven minutes later, the PR merges. Since the PR is a version bump and all tests pass, no human involvement is required. At 7:37 a.m., the advisory hits the public feed: k9s 0.50.16-r4, fixed. It’s been 46 hours since the CVE advisory went out on GHSA.

In six hours, the Packers will face the Lions — plenty of time for cranberry sauce.

November: A month to remember

CVE-2025-65965 was not an exceptional CVE: it had a high severity rating but a relatively small blast radius, and it was easily remediated by bumping versions. What was excellent, however, was that November 2025 was the largest month for CVE detection and remediation in Chainguard’s history.

Over the course of the month, Chainguard remediated 2,960 unique CVEs, triaging 10,493 scanner hits against packages. This represented an over 9x jump from October. During this time, Chainguard maintained 100% adherence to our industry-leading SLA, which requires all critical CVEs to be remediated within 7 days and all high, medium, and low CVEs within 14 days.

While November was a month to remember, it’s not because our hats were on fire. Besides time off for a US holiday, our engineers also needed time to travel to and from an engineering huddle. How was it possible to have our biggest remediation ever without a five-alarm fire?

The Factory

The Factory is the beating, YAML-filled heart of everything we do at Chainguard. Fundamentally, it’s a build system that monitors over 10,000 open source projects. When a release is tagged upstream, or the GHSA or NVD feeds are updated, the Factory rumbles into action, fetching source, checking checksums, applying build rules, rebuilding, and testing, testing, testing. Further, we also rebuild any project that depends on a rebuild, and we do periodic world rebuilds just because it feels good to be alive.

Because of the Factory, CVEs are remediated at Chainguard in an average of two days, and only 22% of CVE remediations require direct human intervention. In 2026, with the advent of Factory v2 and Driftless AF, we anticipate this number to continue to trend lower. This allows our engineers to move up a level, taking more time to design tests, refine processes, and build more securely up front, rather than manually triaging individual CVEs.

Black Friday and beyond

The writer G.K. Chesterton once wrote: “Chaos is dull, because in chaos the train might indeed go anywhere. No, take your books of mere poetry and prose; let me read a time table, with tears of pride.” We at Chainguard also prefer order to chaos. For us, smoothly running automation is pure poetry, and we count every boring day for our customers as a victory.

At 11:15 p.m. EST, the nightly builds for our Chainguard Containers kick off, and remediations for CVE-2025-65965 are pulled into images. Before we can even dig into our Thanksgiving leftovers or plan our Friday runs to big box stores, our CVE has been remediated in every tag and version, ready for our customers to pick up on Black Friday morning. During Thanksgiving week, CVE-2025-65965 has been a typical CVE within an atypically efficient system: the Chainguard Factory. How’s that for a doorbuster?