Safeguard
Tag

chainguard

Safeguard articles tagged "chainguard" — guides, analysis, and best practices for software supply chain and application security.

11 articles

Tools

Best Container Base Images for Security in 2026

Chainguard, distroless, Alpine, UBI micro, Ubuntu chiseled, and scratch, compared on CVE counts, size, libc, and the operational costs nobody puts in the marketing.

Jun 2, 20267 min read
Software Supply Chain Security

Managing risk in the software supply chain

Chainguard hardens base images, but that's one slice of supply chain risk. Here's what SolarWinds, Log4Shell, and XZ Utils reveal about the gaps — and how to close them.

Apr 3, 20268 min read
Application Security

Application security assessments: a practical guide

A practical, numbers-based guide to running application security assessments -- scope, cadence, findings, and how Safeguard compares to image-hardening tools like Chainguard.

Apr 3, 20267 min read
Vulnerability Management

Vulnerability management for the modern engineering team

A vulnerability management program for engineering teams needs more than zero-CVE base images. Here's how Safeguard closes the gaps Chainguard leaves open.

Apr 2, 20267 min read
Open Source Security

Wolfi: the community Linux 'undistro'

Wolfi calls itself an "undistro," not a distro — and it's the open-source foundation under Chainguard Images. Here's what that actually means, and where the gaps are.

Mar 31, 20267 min read
Open Source Security

apko and melange: declarative container build tools

How Chainguard's apko and melange replace Dockerfiles with declarative, reproducible builds — and where the security claims need independent verification.

Mar 30, 20268 min read
Software Supply Chain Security

Sigstore, Cosign, and keyless container image signing

How Sigstore's Fulcio and Rekor make Cosign keyless container image signing possible, why Chainguard built its product around it, and where the real gaps still are.

Mar 30, 20267 min read
Compliance

STIG compliance scanning for hardened/Chainguard containe...

Chainguard images have near-zero CVEs, but shell-based scanners like Anchore flag them as STIG non-compliant. Here is why, and how to fix it.

Mar 23, 20267 min read
Container Security

The Minimal Base Image Myth: What Actually Reduces Attack Surface

Alpine, distroless, and scratch images don't automatically cut risk. The real attack-surface drivers are capabilities, root filesystem, network policies, and seccomp.

Mar 3, 20267 min read
Container Security

Distroless vs. Chainguard vs. Wolfi: Real Differences

A working engineer's comparison of Google Distroless, Chainguard Images, and Wolfi as base images, covering what actually breaks in production and what does not.

Jan 19, 20266 min read
Container Security

Chainguard Images: The Zero-CVE Container Base Image Revolution

Chainguard ships container images with zero known CVEs. That sounds like marketing until you understand how they build them. Here is the technical reality behind the claim.

Nov 22, 20236 min read
chainguard — Safeguard Blog