Open Policy Agent uses Chainguard Images to safeguard from OpenSSL vulnerabilities

Adrian Mouat, Staff OSS Engineer
January 11, 2023

The Open Policy Agent (OPA), which enables policy-based control for cloud native environments, has adopted Chainguard Images to further safeguard its infrastructure. 

When OpenSSL released security advisories for two vulnerabilities in November 2022, Chainguard released images with fixes for any one that contained the vulnerable version of OpenSSL. Users of any Chainguard Image that depend on OpenSSL have one action to take: update to the latest image, and expect fixes to be applied and made available quickly.

Others are also following suit: Tailscale, along with open source projects TektonCD and ko, have started using Chainguard Images to mitigate vulnerabilities and minimize their attack surfaces. Vietnam-based VPBank has gone beyond to also adopt Chainguard solutions across their systems to root them in secure by default measures, according to Head of Technology Platform Tuan Anh Tran:

NTK About Chainguard Images

Chainguard Images is a collection of container images designed for minimalism and security. The collection includes images covering a wide range of use cases, including base images, compilers, runtimes and applications.

Chainguard constantly scans images for vulnerabilities and rebuilds with the latest security updates. As dependencies are rebuilt from source, we can quickly apply updates and release new images without waiting for updates to Linux distribution packages. Updates to packages are reflected in a security database, which is used by most major scanning products. The end result is a small, hardened container image with zero – or as close as possible – known CVEs.

Chainguard Images are built on Wolfi, our Linux (un)distribution, making the images minimal, secure-by-default, and up-to-date. They’re also based on glibc, making them compatible with most other applications and extensions.

Get started–and let us help

At Chainguard, we are committed to building high-quality, trustworthy base images and focus on building secure software that has the tooling necessary to make remediation faster and more seamless by rooting it in secure by default measures. When the next vulnerability affects another common dependency, you can trust Chainguard Images to clearly show when they're vulnerable, and when they're not, and to quickly apply any security fixes and make them available to you as soon as possible.

Chainguard Images are available for Bazel, curl, Git, Go, Jenkins, Postgres, Prometheus, and more. We have also recently added builds for Ruby 3.2 and Redis 7. Try out any of our Images today at, or get started using documentation in Chainguard Academy. If you’re interested in support contracts, SLAs for vulnerabilities, FIPS-enabled images, or support for custom images or older versions, reach out to our team.

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.