chainguard
Safeguard articles tagged "chainguard" — guides, analysis, and best practices for software supply chain and application security.
11 articles
Best Container Base Images for Security in 2026
Chainguard, distroless, Alpine, UBI micro, Ubuntu chiseled, and scratch, compared on CVE counts, size, libc, and the operational costs nobody puts in the marketing.
Managing risk in the software supply chain
Chainguard hardens base images, but that's one slice of supply chain risk. Here's what SolarWinds, Log4Shell, and XZ Utils reveal about the gaps — and how to close them.
Application security assessments: a practical guide
A practical, numbers-based guide to running application security assessments -- scope, cadence, findings, and how Safeguard compares to image-hardening tools like Chainguard.
Vulnerability management for the modern engineering team
A vulnerability management program for engineering teams needs more than zero-CVE base images. Here's how Safeguard closes the gaps Chainguard leaves open.
Wolfi: the community Linux 'undistro'
Wolfi calls itself an "undistro," not a distro — and it's the open-source foundation under Chainguard Images. Here's what that actually means, and where the gaps are.
apko and melange: declarative container build tools
How Chainguard's apko and melange replace Dockerfiles with declarative, reproducible builds — and where the security claims need independent verification.
Sigstore, Cosign, and keyless container image signing
How Sigstore's Fulcio and Rekor make Cosign keyless container image signing possible, why Chainguard built its product around it, and where the real gaps still are.
STIG compliance scanning for hardened/Chainguard containe...
Chainguard images have near-zero CVEs, but shell-based scanners like Anchore flag them as STIG non-compliant. Here is why, and how to fix it.
The Minimal Base Image Myth: What Actually Reduces Attack Surface
Alpine, distroless, and scratch images don't automatically cut risk. The real attack-surface drivers are capabilities, root filesystem, network policies, and seccomp.
Distroless vs. Chainguard vs. Wolfi: Real Differences
A working engineer's comparison of Google Distroless, Chainguard Images, and Wolfi as base images, covering what actually breaks in production and what does not.
Chainguard Images: The Zero-CVE Container Base Image Revolution
Chainguard ships container images with zero known CVEs. That sounds like marketing until you understand how they build them. Here is the technical reality behind the claim.