No CVEs, No Surprises: Chainguard and the UK Software Security Code of Practice

The United Kingdom’s new Software Security Code of Practice (SSCoP) is a wake-up call for every organization developing or distributing software. Co-designed with the National Cyber Security Centre (NCSC) and shaped by public input, it outlines 14 practical principles across four core areas—secure development, build integrity, deployment, and customer communication—all aimed at reducing software supply chain risk and strengthening digital resilience.

For UK businesses, particularly those developing and selling B2B software, the SSCoP is far more than a tick-box exercise; it’s a practical framework for building software that is secure by default, transparent in operation, and resilient throughout its lifecycle. Aligned with global efforts like NIST’s Secure Software Development Framework (SSDF) and the EU Cyber Resilience Act, the SSCoP sets a credible, achievable standard.

Chainguard helps organizations be secure-by-default. Chainguard Containers are hardened, minimal, and continuously patched—delivering zero known CVEs, built-in provenance, and signed SBOMs out of the box. With attestations signed via Sigstore and built in a SLSA Level 2 environment (Supply-chain Levels for Software Artifacts), they embody security that’s not bolted on, but baked in from the start.

To make it easy for organizations to see how Chainguard supports compliance with the UK Software Security Code of Practice, we’ve directly mapped our capabilities to each of the 14 principles set out in the guidance.

Secure Design and Development

The first theme in the SSCoP sets the foundation: security must be built in from the very beginning. It’s not enough to patch vulnerabilities after the fact. Organizations must adopt secure practices throughout the software development lifecycle (SDLC). This means using robust frameworks, understanding what’s in your code, testing rigorously, and embedding security principles by design.

Here’s how Chainguard helps you meet each of the four principles in this category:

• 1.1: Follow an established secure development framework: Chainguard’s production pipeline is built to SLSA standards as part of the Chainguard Factory, ensuring every build step is secure and verifiable. This aligns tightly with both the NCSC’s guidance and global best practices like NIST’s SSDF, offering a dependable foundation for secure development.

• 1.2: Understand the composition of the software and assess third-party risk: Every Chainguard Container ships with a signed Software Bill of Materials (SBOM) and attested provenance, giving you full visibility into your software’s components and their origin. This transparency enables you to assess and manage third-party risk effectively—no black boxes, no surprises. Chainguard’s software also includes transparent metadata, making it possible for third party SCA tooling to consistently scan and create reliable SBOMs.

• 1.3: Have a clear process for testing software and updates before distribution: Our container images are built in reproducible, policy-enforced pipelines and are tested before release. They are published with zero known CVEs, ensuring that what you deploy is not only functional, but also secure.

• 1.4: Follow secure by design and secure by default principles: Chainguard Containers are minimal and hardened, stripping out unnecessary packages and dependencies to drastically reduce the attack surface. They also are not configured to run as a non-root user by default, limiting permissions that may present risk. This isn’t security added as an afterthought; it’s embedded from the start and continuously maintained.

Build Environment Security

Building software securely doesn’t stop at writing safe code. The environments in which software is built must also be protected, as compromise here can undermine the integrity of even the most carefully written applications. The SSCoP outlines clear expectations to secure build systems against tampering and ensure full visibility into any changes that occur.

Chainguard delivers on these principles by offering build infrastructure that is secure by default, fully traceable, and rigorously controlled:

• 2.1: Protect the build environment against unauthorized access: Chainguard’s build pipeline uses hermetic, tamper-resistant environments that eliminate undeclared dependencies and enforce deterministic outcomes. Each build is accompanied by signed provenance, ensuring the integrity and authenticity of every artifact. This level of protection makes it significantly harder for attackers to introduce malicious code or interfere with your builds.

• 2.2: Control and log changes to the build environment: All Chainguard builds are reproducible and executed in transparent, policy-enforced pipelines, allowing you to verify what was built, how, and when. Every change is logged, controlled, and auditable, providing the evidential chain needed for compliance and peace of mind.

Secure Deployment and Maintenance

Security doesn't end at release—software must be continuously maintained, monitored, and updated throughout its lifecycle. The SSCoP underscores the importance of proactive vulnerability management and responsible communication practices to reduce risk after deployment.

Chainguard helps organizations go beyond reactive security with a platform built for constant assurance and operational resilience:

• 3.1: Distribute software securely: All Chainguard packages are cryptographically signed using Sigstore, accompanied by verifiable SBOMs and signed provenance, ensuring every image you deploy is authentic and tamper-proof.

• 3.2: Publish a vulnerability disclosure process: Chainguard maintains a clear, coordinated vulnerability disclosure policy for both inbound and outbound, backed by a dedicated security team that ensures timely, transparent handling of security issues affecting our ecosystem.

• 3.3: Detect, prioritise, and manage vulnerabilities proactively: With continuous CVE scanning, automatic patching, and daily rebuilds, Chainguard Containers stay consistently free of known vulnerabilities, removing the burden from your internal teams.

• 3.4: Report vulnerabilities to relevant parties: When vulnerabilities are discovered, Chainguard not only mitigates them internally, but also collaborates with upstream and downstream partners, ensuring the wider ecosystem benefits from responsible disclosure via a security advisory feed.

• 3.5: Provide timely updates, patches, and notifications: Chainguard’s daily rebuilt images deliver near-immediate patching of security issues, and carry an industry-leading CVE SLA of 7 days for critical and 14 days for high, medium, and low CVEs. Users are kept informed via detailed release notes and GitHub notifications, ensuring transparency and trust.

Communication with Customers

Clear and timely communication is fundamental to maintaining trust between software vendors and their customers. The SSCoP recognises that even the most secure systems require robust, transparent engagement to manage support lifecycles and respond to incidents effectively.

Chainguard ensures your teams and customers are never left in the dark, with proactive, reliable communication built into every step of our delivery model:

• 4.1: Inform customers of support & maintenance levels: We maintain a public, transparent support and lifecycle policy for all Chainguard Containers, including long-term support (LTS) options to suit enterprise requirements and compliance needs.

• 4.2: Give at least 1 year’s notice for end-of-support: Our end-of-life notices are published well in advance, following industry best practices, so your teams can plan upgrades and transitions with confidence and minimal disruption.

• 4.3: Share information on notable incidents impacting customers: In the rare event of a critical issue, Chainguard ensures customers are informed promptly through secure channels, supplemented by public documentation, to help them assess impact and respond swiftly.

Comply with the Code using Chainguard Containers

As the UK Government sharpens its focus on improving software security and resilience, the SSCoP provides a clear and actionable baseline for software vendors operating in the UK. It reflects a growing global consensus: security must be built in, not bolted on.

At Chainguard, we believe secure software should be the default, not the exception. Our solutions are purpose-built to help organisations meet the Code’s principles with confidence and efficiency.

For UK software vendors, adopting the Code isn't just good practice: it’s a strategic move to build customer trust, stay ahead of regulatory expectations, and reduce long-term risk. Chainguard is here to make that journey faster, simpler, and more secure. Talk to an expert today.