Build, Customize, Sustain: Exposing the Chainguard Factory for Every Customer

EOL Grace Period, Private APK Repositories, and Custom Assembly features included for all Chainguard Containers customers

Every Chainguard artifact is assembled and distributed by what we call the Chainguard Factory – a secure-by-design build system with robust automation and infrastructure that underpins Chainguard OS. The Factory is core to Chainguard’s DNA – it’s how we continuously build open source artifacts from source and compile, sign, patch, and distribute our core products: Chainguard Containers, Chainguard Libraries, and Chainguard VMs. To date, we’ve only exposed these end products of the Factory to our customers, instead of the Factory’s raw capabilities.

But now, we’re giving customers more direct access to the Factory and putting its power in your hands. That’s why we’re excited to announce that we’re giving every Chainguard Containers customer access to EOL Grace Period,  Private APK Repositories, and Custom Assembly immediately. Together, these capabilities give platform engineers, application developers, and security teams more flexibility to build with Chainguard APKs, securely customize their Chainguard Containers, and transition to updated software versions on their own timelines.

In this blog post, we’ll walk you through each product feature in detail and share our future roadmap plans to expand on these capabilities.

EOL Grace Period: Time and Flexibility to Update Software Without Sacrificing Security

Many Chainguard customers rely on unmaintained open source software due to the costs and complexities of migrating to updated versions. Long release cycles, unexpected upstream bugs or incompatibilities, and internal code freezes can make migrations messy and slow. Yet, every Chainguard customer recognizes that running unmaintained end-of-life software in production environments is a security non-starter.

EOL Grace Period extends the Factory’s coverage to include software that has been marked end of life so that customers have more time and flexibility to migrate to updated versions – without sacrificing their security posture. Specifically, Chainguard will continue to rebuild EOL container images and remediate CVEs in their non-primary packages for up to six months past the initial EOL date. With EOL Grace Period, Chainguard allows busy engineering teams to gradually transition to up-to-date software on their own timelines, while mitigating supply chain threats stemming from unmaintained software.

In the coming months, we’ll be expanding EOL Grace Period capabilities to surface image metadata (e.g., EOL dates, LTS status, and more) via an API that can be integrated into other systems, such as Slack, and adding coverage for software that follows single-version release streams.

EOL Grace Period is now generally available. Check out our docs and this demo video to learn more about EOL Grace Period.

Private APK Repositories: Direct Access to Secure APKs

Chainguard’s customers have long asked us for an easier way to directly access the minimal, secure APKs that underpin their Chainguard Containers. These customers want to embed Chainguard packages directly in their CI/CD pipelines instead of relying on untrusted and insecure components from public sources.

Private APK Repositories answers this need by exposing direct access to the raw materials (i.e., packages) that the Chainguard Factory assembles into our products. Specifically, Chainguard is providing customer-specific repositories that surface the APKs underlying your container images. Direct access to Chainguard packages reduces complexity in building containers while preserving the familiar APK workflow. And while Chainguard does not track our CVE remediation SLA at the package level – we track it at the container image level instead – the APKs included in your personalized package repository benefit from that SLA because they come from an image that Chainguard is continuously rebuilding and patching.

Private APK Repositories is currently in beta and will be generally available this summer. Check out our docs and this demo video to learn more about Private APK Repositories.

Custom Assembly: Secure Image Customization Without Complexity

Many customers have asked us to help them extend and customize our container images, while maintaining end-to-end integrity of the final artifact. To satisfy their development and security requirements, many customers were manually building and maintaining customized images through complex, cumbersome, and brittle pipelines. And in the process, they were introducing vulnerable, insecure packages into their environment. This status quo for image customization introduced additional infrastructure overhead, developer toil, and unnecessary security risk.

Custom Assembly simplifies image customization by giving customers programmatic access to the Chainguard Factory. Customers dictate image customizations that Chainguard builds and maintains on their behalf. Specifically, customers can add packages from their Private APK Repos to the source image of their choice. That customized image is built and maintained in the Factory using our secure-by-design build system and automation, and is guarded under Chainguard’s CVE remediation SLA. Custom Assembly thus saves customers costs in the form of infrastructure (COGS), engineering hours (operating expenses), and complexity (hidden costs). Customers like Canva are already starting to realize these benefits:

“Chainguard’s Custom Assembly allows for customization without complexity. It lets us easily add the specific packages we need while maintaining the security and integrity of the images.”

Our post-GA roadmap for Custom Assembly includes the ability for customers to automate the customization of their Chainguard Containers with GitHub Actions and Terraform in addition to using the console UI, the ability for customers to bundle their custom certificates onto our images, and fully self-serve provisioning for new customizable images.

Custom Assembly is currently in beta and will be generally available this summer. Check out our docs and this demo video to learn more about Custom Assembly.

Getting Started with EOL Grace Period, Private APK Repositories, and Custom Assembly Today

We’re excited to hear your feedback as you get your hands on the Chainguard Factory and start building with Private APK Repositories, Custom Assembly, and EOL Grace Period. Your feedback will play a key role in shaping Chainguard’s roadmap so that we can deliver even more value to our customers.

If you’d like to learn more about the Chainguard Factory or how Chainguard’s minimal, zero-CVE containers can transform your software supply chain, reach out today. Existing Chainguard Containers customers can get started with these features by reaching out to your account teams and exploring the docs linked above.