Trusted Open Source Means Compatibility: New Integration with Orca Security

In today’s cloud-native landscape, organizations rely on a wide range of scanners, platforms, and tools to protect their applications and infrastructure. At Chainguard, we hear from customers how increasingly critical it is to trust their software foundations, with security embedded from the outset. That starts with zero-CVE container images built from trusted, minimal, and verifiable components, and extends across all of their open source artifacts.

But security is only as effective as its visibility. That’s why we’ve prioritized broad compatibility across the scanner ecosystem, ensuring that Chainguard container images can be accurately interpreted and validated, whether that’s for our customers’ own environments, or for the long tail of their users’ environments. Today, we’re expanding on that broad and deep compatibility with the introduction of our Orca Security integration. With hundreds of customers including SAP, Gannett, Autodesk, Unity, Lemonade, and Digital Turbine, Orca is a leading CNAPP (Cloud-Native Application Protection Platform) provider. Together, we can enable some of the world’s leading organizations to build with trusted open source software across their environments.

Introducing Our Partnership with Orca Security

Orca offers agentless-first visibility into every layer of your cloud estate—including cloud configurations, host OSes, container images, Kubernetes clusters, open-source components, and more.

With this integration, Orca now supports full visibility into images based on Chainguard OS, including Chainguard Containers. This means that:

• Chainguard Containers metadata is available directly in the Orca Platform, enhancing visibility across the software supply chain.

• Orca scans these images and their installed packages for vulnerabilities, validating them against authoritative Chainguard Security Advisories.

• False positives are eliminated, helping teams focus on the risks that matter most and streamlining remediation workflows.

• Critical security context is added from the Orca Platform, so security and DevOps teams can better understand vulnerabilities and security issues combined with a wider understanding of their cloud environment

Together with Orca, Chainguard can provide organizations with trusted open source artifacts like secure container images that are not only continuously rebuilt with transparent provenance—but also visible, verifiable, and actionable through tools that modern security teams already rely on.

Learn more about the Orca Integration at Orca Security: Read their blog.

Why Compatibility Matters

For security and DevOps teams, compatibility isn’t just a convenience — it’s a necessity. Organizations need to confirm that their containers are free from known vulnerabilities using the scanners already deployed in their environments. This is especially important in regulated industries or customer-facing deployments, where validating a zero-CVE posture is critical for compliance, third-party audits, or internal risk reporting.

By integrating with leading scanners like Orca, we help ensure that customers don’t just take our word for it — they can see the zero-CVE status of their containers, confirmed by the tools they trust. This alignment between image metadata, scanner visibility, and vulnerability policy is essential to reducing noise and driving real security outcomes without sacrificing developer velocity or efficiency.

Looking Ahead

Our work with Orca is just beginning. We see tremendous opportunity to bring secure-by-default, trusted open source artifacts to even more layers of the stack—and to more of the use cases Orca is protecting today.

Whether it’s enabling proactive vulnerability management, accelerating incident response, or reducing software supply chain risk, we’re excited to partner with Orca to deliver more value to joint customers.