Custom Assembly and Private APK Repositories are Now Generally Available

We’re excited to announce the general availability of Custom Assembly and Private APK Repositories , two new features for Chainguard Containers that make it simple to customize your Chainguard container images with the Chainguard Factory and directly access trusted Chainguard packages via a customer-specific endpoint. 

With Private APK Repos, we’re exposing the core components of our container images to give customers the ultimate flexibility and control in how they consume, build, and ship minimal, zero-CVE open source software. Packages accessible through Private APK Repositories benefit from our SLA (7 days for critical, 14 days for high, medium, and low) since they are sourced from an image that Chainguard is continuously rebuilding and patching.

And with Custom Assembly, every Chainguard Container delivered to your repo is now customizable and extensible via programmatic access to the Chainguard Factory. That means customers can take any stock Chainguard container image, dictate package additions, and kick off a build in our SLSA L2 build system. Chainguard will continuously build, maintain, and guard the customized image under our CVE remediation SLA. 

Check out a demo of Custom Assembly below and read the following blog post to learn more. 

Custom Assembly: Secure Image Customization to Go from Source to Prod

Today, Chainguard offers a catalog of 1,400+ minimal, zero-CVE container images with broad coverage across core programming runtimes and third-party applications like observability tools, databases, web servers, CI/CD infrastructure, dev tools, and more. Still, many of our customers need to customize these source or “stock” images to satisfy the needs of their developers, security requirements, and production environments. That means manually customizing Chainguard Containers through complex, cumbersome, and brittle pipelines that require constant maintenance and introduce vulnerable, insecure packages into their environments. 

To simplify image customization and make it easy and fast to go from a source to prod, we built Custom Assembly: automated tooling that gives customers programmatic access to the Chainguard Factory. Customers simply dictate what packages they want to add to the source Chainguard image of their choice – Chainguard then continuously builds and maintains the customized image under our CVE remediation SLA on behalf of the customer. Custom Assembly thus saves customers costs in the form of infrastructure (COGS), engineering hours (operating expenses), and complexity (hidden costs).

Customers like Canva are already starting to realize these benefits: “Chainguard’s Custom Assembly allows for customization without complexity," said Punsoong Khut, Software Engineering Lead at Canva. “It lets us easily add the specific packages we need while maintaining the security and integrity of the images.”

And we’re not stopping with package additions. See our currently planned roadmap for Custom Assembly below and please reach out if you have any feedback!

• Self-Serve Provisioning: Allow users to provision multiple, customizable variants from the same “stock” (i.e., original source) container image in a fully self-serve manner 

• Custom Certifications: Simplify the process of bundling in custom certificates into Chainguard Containers

• Customization as Code: Empower developers to customize Chainguard Containers with GitHub Actions and Terraform in addition to using the console UI

Check out our docs to learn more about Custom Assembly. 

Private APK Repositories: Customer-Specific Endpoint for Trusted APKs

Customers asked Chainguard to build a simple mechanism that allows their developers to directly access the APKs underpinning Chainguard’s minimal, zero-CVE images. This would empower devs to pull Chainguard’s packages directly into their CI/CD pipelines instead of relying on the status quo of unvetted and insecure components from public repositories. 

With Private APK Repositories, Chainguard delivered. Now, every Chainguard customer has their own unique endpoint to directly access the packages powering our container images. This approach keeps your existing workflows for package additions and consumption intact, and ensures that every open source component your developers integrate into your infrastructure is minimal, secure, and trusted. Importantly, the packages accessible at Private APK Repos benefit from our SLA as they are sourced from an image that Chainguard is continuously rebuilding and patching.

Check out our docs to learn more about Private APK Repositories. 

Start Building with Custom Assembly and Private APK Repositories Today

We’re excited to hear your feedback as you get your hands on these new features. Your experience and feedback plays a critical role in shaping our roadmap so we can deliver even more value to users. 

If you’d like to learn more about how Chainguard’s minimal, zero-CVE containers can transform your software supply chain, reach out today.