What’s new in December 2025: exploring new Chainguard product features

Each quarter, we invite our customers and the broader Chainguard community to hear about what we’ve launched recently and what’s on our short-term roadmap. Part of introducing these new capabilities and innovations is recognizing the landscape and the reality of the users we’re building for, specifically the engineering teams tasked with not only moving fast, but doing so efficiently and securely.

The “2026 Engineering Reality Report” was a study published by Chainguard in October, which sought the opinions and input of 1,200 software engineers and technology leaders on how teams spend their time and what gets in the way of meaningful, high-impact work. There were three clear outcomes:

1. Maintenance work is outweighing innovation. Nearly 80 percent of engineers reported that code maintenance drains their time, and they spend only 16 percent of their week building new features or capabilities. Much of this maintenance effort is tied to security.

2. In many organizations, software security still functions outside the core engineering workflow. Two out of three engineers frequently encounter technical debt, and 40 percent spend significant time resolving vulnerabilities, creating a reactive security environment that requires substantial manual work. This approach transforms proactive development into cycles of patching and triage.

3. Tooling fragmentation and context switching have a heavy cognitive load. 88% of engineers said switching between tools negatively affects their productivity, and 62% indicated their tools lack the integrations necessary to maintain focus and flow. The takeaway is clear: Engineering teams want powerful tools, but only if those tools fit naturally into existing workflows.

This quarter’s updates across Chainguard Containers and Chainguard Libraries focus on reducing this toil, shifting security work from reactive to proactive, and supporting engineering teams without requiring disruptive workflow changes.

Chainguard Containers

Recently released

40+ first-party Helm Charts for Bitnami migration

Chainguard has launched more than 40 first-party Helm Charts to help teams transition away from Bitnami, following their licensing changes that placed many previously free charts and images behind a paywall. Forked from Bitnami, our Helm Charts ensure drop-in compatibility and smooth migrations from upstream Bitnami charts, while integrating seamlessly with our catalog of secure-by-design containers.

Each chart is delivered as an OCI artifact to customers’ private registries and is updated, tested, and validated in the Chainguard Factory to ensure consistent, reliable deployments. Our charts are pre-packaged with values that standardize to Chainguard’s minimal, hardened, zero CVE container images, which are guarded by our best-in-class CVE Remediation SLA. By combining hardened images with fully managed charts, Chainguard helps teams reduce risk and complexity while speeding up deployment.

Custom Assembly improvements, including Save As customization

Chainguard Custom Assembly allows teams to start with a standard Chainguard image and add exactly the packages they need. This is especially useful for teams using minimal images that do not include all the package or package manager shells. Another important benefit of Chainguard’s Custom Assembly feature is that the SLA applies to the entire image created, not just the base image. Every package added on top is fully covered.

A major improvement this quarter is the addition of Save As functionality. This enables engineering teams to create multiple variants of the same base image for different applications or teams, while keeping each variant minimal and secure. This feature is available to all customers today, and for customers on our per-image pricing, it does not use up your image count.

Self-serve catalog provisioning

Chainguard’s catalog pricing model provides access to more than 1,800 container images. Previously, provisioning new images required manual customer requests and manual fulfillment by internal teams, which created unnecessary friction. This process is now fully self-serve.

With self-serve provisioning, authorized users can browse the Chainguard catalog, add new images with a single click, rename or edit existing images, delete images, and create new variants using the "Save As" feature.

200+ new container images

Over the last 3 months, Chainguard has built new container images for over 200 open source projects:

• Databases: ArangoDB, TimescaleDB, Infinispan, PerconaDB tools 

• CI/CD Infra: Volcanosh stack, Knative ecosystem tools, Gitlab Kubernetes suite, 

• Servers and Networking: NGINX OpenTelemetry, Postfix, Jetty, Omniserver, Apisix

• AI/ML Tools: Tritonserver, Huggingface ecosystem tools, MLflow, kepler, Livekit tooling

What’s next

Helm Chart enhancements

Chainguard is making several improvements to the Helm experience within the console to help customers adopt and manage charts more easily. These updates include:

• Better READMES at the chart level

• A clear view of the container images that map to each chart

• Values YAMLs available to browse directly within the console

Additionally, we are expanding our Helm Chart coverage across the rest of our images catalog. This will enable organizations deploying their Chainguard Containers with community Helm charts to consume the charts and images from the same trusted registry. These charts will be distributed as signed OCI artifacts, with default configurations that make it easier for customers to deploy Chainguard’s hardened, zero-CVE images into their Kubernetes clusters at scale.

Looking ahead, we plan to introduce charts that embody secure-by-default principles and come pre-hardened, secure, and aligned with relevant security frameworks.

Chainguard Libraries

Recently released

CVE remediation for Python is now generally available

Chainguard Libraries for Python is now generally available with a major new capability: backported patches for CVEs in popular and highly requested libraries.

Development teams often do not have the option to upgrade to the latest versions of a library as soon as they become available, and sometimes version updates to address a CVE can take weeks or months. Chainguard solves this problem by backporting upstream fixes for critical and high-severity vulnerabilities to versions from the last three years. Every remediated CVE is tested to ensure the patched version does not break functionality and is no longer exploitable.

Scanner integrations with Grype, Trivy, AWS Inspector, and Anchore Enterprise

Chainguard Libraries now integrates with Grype, Trivy, AWS Inspector, and Anchore Enterprise, all widely trusted vulnerability scanners. Organizations using these tools can now easily identify when Chainguard has remediated a critical or high-severity CVE in a Python library through an upstream backport.

For engineering teams, this removes the burden of sorting through CVE alerts and accelerates development workflows. At the same time, security teams gain a higher level of trust and visibility, as their scanners can now independently confirm that Chainguard’s backported fixes fully resolve critical and high-severity CVEs.

Verification tooling improvements

Verification tooling helps our customers verify that libraries are built by Chainguard in our SLSA-hardened build environment, rather than coming from upstream registries. It also shows your environment’s overall coverage with Chainguard Libraries.

Verification tooling is available for Python and Java, and is coming soon for JavaScript. This functionality will soon be moving from the standalone chainver tool to chainctl to provide a unified tooling experience across Chainguard products.

What’s next

JavaScript libraries, built to prevent malware

Chainguard Libraries for JavaScript is currently in closed beta and designed to stop the types of malware attacks hitting the npm ecosystem today. These JavaScript libraries are built in our SLSA L2 environment and are built with full provenance and SBOMs. Work is underway to expand coverage across more JavaScript libraries.

Browse remediated CVEs in the Console

A new feature in the Chainguard Console is in development to browse which CVEs have been remediated in specific libraries. This will allow security and development teams to evaluate and validate which libraries have patched CVEs, and where CVE Remediation can deliver value and eliminate toil across your environment.

100,000s of libraries, with new builds every day

Library coverage across Python, Java, and JavaScript is expanding rapidly, with hundreds of thousands of versions already available and new libraries being built every day. Our ongoing investment in the breadth of our libraries catalog ensures broad support for the language ecosystems our customers depend on.

Helping teams focus on what matters

Across Chainguard Containers and Chainguard Libraries, this quarter’s releases focus on reducing engineering toil, strengthening proactive security, and supporting teams without disrupting the workflows they already rely on. Whether you are working to eliminate CVE remediation cycles, accelerate compliance, or gain better control of your software supply chain, Chainguard is investing in capabilities designed to support those goals.

If you would like to learn more about how these updates can help your organization improve efficiency, enhance security, and accelerate innovation, please contact us. We would be happy to connect. To dive deeper into everything covered here, you can also watch the full on-demand webinar anytime.