Security baked into your software supply chain: The combined benefit of JFrog and Chainguard
The software supply chain (SSC) is under attack. The recent wave of compromised NPM packages and the ever-rising flow of new SSC risks are putting DevOps and Security teams under unprecedented pressure. The traditional, fragmented approach to security is no longer enough to manage this risk, as it compromises developer velocity.
To truly achieve both speed and security, organizations need to go beyond a fragmented view and demand solutions that not only coexist, but together, push their SSC to excel the business.
The JFrog-Chainguard collaboration helps you do that. Here’s how:
Security at the gate, and security by default
Most teams want a simple promise from their container supply chain. Every image a developer pulls should be secure, consistent, and ready for production. In practice, though, that promise is hard to keep. Popular base images from Docker Hub and other registries typically contain hundreds of vulnerabilities, overwhelming developers with noisy alerts that can cause them to miss the real risks. Chainguard ensures your developers pull secure-by-default container base images that start clean and remain that way through continuous updates.
JFrog Curation acts as the intelligent, policy-driven gatekeeper to your SDLC.
It rigorously inspects all upstream sources, packages, container images, and even AI models, to ensure that only non-malicious, secure, and legally compliant components are ever introduced into your environment. When a developer tries to add a malicious or non-approved package version (e.g, it is in breach of your no-GPL policy), Curation offers them the most recent compliant version of their requested package as an alternative to the potentially risky one, ensuring a truly streamlined experience that does not slow down delivery.
Together, Chainguard and JFrog Curation establish a powerful security assurance workflow: You start with base images that are guaranteed secure-by-default (Chainguard), and then you use Curation (JFrog) to enforce that these images, and everything else you consume, are trusted, non-malicious, and compliant with your organizational policies. This unified approach delivers unparalleled security without sacrificing speed.
Securing golden images
A golden image is the trusted base layer your developers build their code on. Instead of pulling arbitrary upstream images, they start from a secure, pre-approved layer. Golden images eliminate guesswork and give developers and security teams confidence that what's running in production matches what they've tested, validated, and secured.
Chainguard container images are an ideal foundation for this kind of program. We've designed them to be minimal, hardened, and continuously updated to reduce or eliminate CVEs. That means when you adopt Chainguard container images as your base layer, rather than starting with an image that already has dozens, or even hundreds, of vulnerabilities baked in, you're starting clean.
From there, with the help of JFrog Curation, you can extend those images with your own organizational requirements; add runtime libraries that are specific to your applications, include your preferred monitoring or logging agents, or bake in tooling you want every workload to carry. Curation provides the necessary first defence — ensuring anything you add is policy-approved and safe to use.
Once inside your pipeline, golden images must be continuously scanned and monitored for any potential changes or newly introduced risks. This is where JFrog Advanced Security comes into play. A Chainguard base image, together with your own layers of common libraries, becomes your golden image; those layers are continually scanned and monitored by JFrog’s end-to-end security. Anything added to a hardened Chainguard base image is subject to application security practices throughout its journey through the SDLC. This includes source code scanning (JFrog SAST), software composition analysis (JFrog Xray and Contextual Analysis), configuration scanners, and secrets scanners (for both source and binary code). Implementing these AppSec practices ensures that what started risk-free remains that way even after your application's code and IP are added.
The benefits of combining Chainguard and JFrog
One source of truth
Once a Chainguard container image is pulled by a developer and passes Curation, it is managed inside the software system of record: Artifactory, JFrog’s universal artifact and model repository manager. With all your Chainguard container images consolidated and managed in Artifactory, you eliminate the risk of drift and ensure everyone is working from the same approved foundation. It provides your teams with a unified system of record they trust. You can organize your golden images however makes the most sense for your business — by project, team, or application. Artifactory also enforces versioning, so you always know exactly which image is in use and can roll back or promote versions with confidence. Access policies enable easy control over who can pull or push, ensuring that only authorized teams can modify your golden images. Governance rules add another layer of control, helping you align image usage with organizational and regulatory requirements.
Less noise, more signal
If you've ever scanned a typical container image, you know what to expect. The results return hundreds of CVEs, most of which are low-severity, not exploitable in your context, or tied to packages you never intended to use. The sheer volume makes it difficult to distinguish what matters from what can safely be ignored. Chainguard container images change that experience. Because we build them to be minimal and intentionally stripped of unnecessary components, the number of vulnerabilities they contain is dramatically lower. In many cases, there are none at all.
As for any additional layer (e.g, application code/artifact) added to the base image, with JFrog’s Transitive Contextual Analysis capabilities, security teams no longer waste time triaging endless lists of low-priority CVEs. Instead, they can focus on vulnerabilities that truly matter, the ones that are actually exploitable and could realistically affect the security of their applications. The entire pipeline becomes more efficient, with reduced noise, faster resolution, and greater confidence that flagged items warrant attention.
Governance and compliance built in
Chainguard’s container images are secure building blocks for your applications. Once you add other components to them, it is important to continuously manage their progression through the SDLC, ensuring they are monitored, governed, and scanned as they move down the pipeline.
JFrog AppTrust gives you precise control over all your application versions and their components. It allows you to set “gates” at every step of the SDLC: policies that determine whether a given version can move down the pipeline, based on its adherence to your operational, security, or compliance requirements. Adherence to a policy requires presenting evidence-proven attestations that your policies were indeed met. This evidence can be collected on the JFrog platform, via JFrog’s extensive partner ecosystem, or imported from external resources as a JSON file.
With these policies, you can codify requirements for frameworks like FedRAMP, HIPAA, or PCI DSS directly into the promotion process. Regarding images, only application versions that meet your defined standards are approved to move down the pipeline.
The benefit for security and compliance teams is trust. They know that governance is consistently enforced across every application and every team, without exception or gaps. Together, Chainguard and JFrog give you a pipeline where secure and compliant artifacts are the default outcome, not the exception.
Better together
By combining Chainguard’s secure-by-default container images with JFrog’s end-to-end security and governance platform, your organization can trust its images and other software artifacts through their entire lifecycle. This partnership eliminates vulnerability noise, enforces compliance, and ensures your "golden images" remain consistent and secure from development through to production. The result is a faster, safer, and more auditable software supply chain that empowers both developers and security teams to build and ship with confidence and speed.
“By leveraging JFrog Artifactory alongside Chainguard, we can seamlessly mirror the images we need without disrupting our existing CI/CD pipelines. Once the images are available in Artifactory, we can continue pulling them with the same secrets and configurations already in place - no changes required. This approach streamlines operations, reduces engineering overhead, and ensures a more secure and efficient software supply chain for the company.
Ready to strengthen your supply chain? Explore Chainguard Containers and JFrog Artifactory with Xray to start building your own golden image pipeline today.
Share this article
Related articles
- product
Introducing automatic, short-lived credentials for Chainguard Libraries for Python
Jason Hall, Principal Software Engineer, and Ross Gordon, Staff Product Marketing Manager
- product
Unwrapping Ruby 4.0: Chainguard delivers a gem just in time for Boxing Day
Sergio Durigan Junior, Senior Software Engineer
- product
Custom Certificates are now available in Custom Assembly
Tony Camp, Staff Product Manager
- product
The Engineer’s Never-Gift Guide: Avoiding the nightmare before Christmas
Sam Katzen, Staff Product Marketing Manager
- product
What’s new in December 2025: exploring new Chainguard product features
Ed Sawma, VP of Product Marketing
- product
Meet Chainguard MCPs: Bringing supply chain security to the AI era
Erin Glass, Staff Product Manager