1 day ago
9
Follow ZDNET: Add america arsenic a preferred source on Google.
ZDNET's cardinal takeaways
- Chainguard targets open-core programs, GitHub Actions, and cause skills.
- The attack starts with its caller AI-powered Chainguard Factory 2.0.
- The institution is launching caller safety-first programmer services.
From the signifier of the Chainguard Assemble 2026 lawsuit successful Manhattan, programming information institution Chainguard Co‑Founder and CEO Dan Lorenc pulled up an assemblage subordinate to saw a portion of wood with an old-fashioned handsaw. It did not spell well, but the wood was chopped eventually. Then, Lorenc pulled retired a tiny powerfulness saw and chopped the aforesaid portion successful a fewer seconds. He past said, "It's hard to marque mistakes with manual tools due to the fact that you're going slower, portion [AI] powerfulness tools are a batch much fun, but they're besides a batch much dangerous. We suffer a batch much fingers."
In short, we indispensable larn to usage powerfulness tools safely -- and that's what Chainguard is attempting to do. Lorenc framed the infinitesimal arsenic an manufacture modulation from "hand woodworking" to powerfulness tools and past to afloat automated assembly lines, with AI agents driving overmuch of the change. "In the adjacent 12 months, the bulk of codification is going to beryllium written by thing antithetic and thing new," Lorenc said. The lone mode to support up with AI‑accelerated attackers is to automate distant the accepted 30/60/90‑day spot rhythm and commencement from systems that are unafraid by design.
To execute that target, Chainguard has moved its methodology for automatically gathering operating strategy and exertion images from a brittle 1 to Chainguard Factory 2.0. Factory 2, the institution suggested, has already removed much than 1.5 cardinal vulnerabilities from lawsuit accumulation environments, up from 270,000 a twelvemonth ago, by continuously rebuilding and repatching its images and packages from source.
Also: Why AI is some a curse and a blessing to open-source bundle - according to developers
Chainguard Factory 2.0 is simply a reconciling, AI‑driven pipeline that pushes the company's catalog toward a desired state, whether that means zero known Common Vulnerabilities and Exposures (CVEs), passing a peculiar QA suite, oregon gathering show oregon size constraints.
To execute this state, Dustin Kirkland, Chainguard's SVP of engineering, explained successful an interrogation with ZDNET, "We invested aboriginal and often with aggregate antithetic AI models, OpenAI, Claude, and Gemini." Early agents lone succeeded "50–60%" of the time, helium noted, but the misses became grooming data: "We could instrumentality the exhaust -- the things that didn't enactment -- spell and hole that, and past provender that backmost into the model. And things conscionable got better."
The turning point, said Kirkland, was the company's Driftless agentic framework, which "really plumb[ed] the reconciler exemplary straight into the mill itself." He continued: "Here we get the self‑healing mode… we determine what we privation the extremity authorities to be... and past the reconciler volition fundamentally conscionable tally successful a loop solving problems until it meets those criteria."
That mode is simply a batch amended than what Lorenc described arsenic a fragile, event‑driven Continuous Integration (CI) pipeline held unneurotic by "duct portion and baling wire" to a Kubernetes‑style reconciler signifier wherever agents continuously nudge world toward a people description. Thanks to agents tracking upstream releases, Chainguard tin show much than doubly arsenic galore packages arsenic before, securing and producing them successful acold little time.
For developers who privation to nutrient safe, utile programs, that caller attack means Chainguard is offering much than fractional a twelve caller and improved services.
Embracing self-service
At the basal of this stack is Chainguard OS. Chainguard said this Linux organisation is "fully bootstrapped from source" and not a derivative of Debian, Fedora, oregon different mainstream foundational Linux distributions that lag down the latest spot releases. Using Chainguard OS, companies tin present physique their ain bug-free customized Linux distributions, Kirkland said: "Customers tin physique immoderate representation they privation from those packages… successful immoderate operation that they want."
He framed the displacement arsenic portion of a broader propulsion toward developer self‑service: "Developers tin get the bundle they request astatine the velocity that they request it -- which is now."
Also: Is Perplexity's caller Computer a safer mentation of OpenClaw? How it works
Chainguard's instrumentality catalog remains its flagship product, and Product SVP Patrick Donahue highlighted that the institution is present gathering much than 2,200 upstream projects into instrumentality images and maintaining implicit 30,000 OS packages. Donahue said that this magnitude is "an bid of magnitude bigger than anybody else."
To marque its products much accessible, Chainguard introduced a escaped ChainGuard Catalog Starter tier. This tier gives users a prime of 5 escaped images. The tier is for developers who privation to "give it a taste" and standard up later. Kirkland called this attack "leaning into developer self‑service," giving engineers "access to 5 images astatine nary charge" truthful they tin get going without talking to sales.
More strategically, the institution is moving beyond open‑source images into what it calls Chainguard Commercial Builds. These are secure, Chainguard‑built images for commercialized and open‑core software, specified arsenic GitLab Enterprise, Elastic, oregon NGINX. Kirkland explained: "Increasingly, we've had customers who travel to america with either shared root models oregon commercialized open‑source models… 'How tin we usage Chainguard successful our proprietary builds?' And the reply unequivocally is yes."
In these deals, Kirkland said Chainguard provides "the unafraid compiler and connection runtimes and each of those libraries that it takes to physique that image," giving vendors a hardened, zero‑CVE‑SLA basal portion allowing them to support their proprietary IP closed. He predicted this attack "will revolutionize a clump of the bundle retired determination that is distributed, built connected apical of a Debian oregon Fedora oregon an Alpine by offering a safe, secure, hardened, zero CVE alternative."
On the connection side, Chainguard secures upstream repositories specified arsenic PyPI, Maven Central, and npm, wherever Donahue said much than 450,000 caller malicious packages were observed crossed large registries successful 2025. That's astir 1 per minute, if you're counting.
Also: 7 AI coding techniques I usage to vessel real, reliable products - fast
The institution present claims astir 96% sum of Python dependencies, implicit a cardinal Java artifact versions, and astir 90% of the apical 500 npm dependencies by download volume, with mill automation pointed astatine Java and JavaScript aft Python. Given that galore fashionable open-source repositories person been poisoned with malicious code, it's precocious clip idiosyncratic provided clean, unafraid programs.
To marque depletion easier, Chainguard has launched the Chainguard Repository, its ain artifact repository fronting those curated libraries. Instead of configuring each developer to autumn backmost straight to upstream registries, customers tin constituent CI and AI coding agents astatine the Chainguard Repository and enforce policies specified arsenic licence allow‑lists oregon a "cool‑down period" that blocks brand‑new libraries for a configurable fig of days, allowing clip for malware to beryllium detected.
For customers with dense usage oregon constrained bandwidth, Kirkland emphasized that Chainguard volition "continue to enactment with Artifactory and Cloudsmith and others and people into those artifact registries," and that these repositories tin beryllium mirrored in‑house to debar hammering nationalist services. That capableness besides reduces the load connected struggling open‑source mirrors that "literally cannot spend the bandwidth quotas."
Security and skills
Recognizing that CI systems are present among the astir delicate parts of the bundle proviso chain, Chainguard unveiled 2 caller merchandise families: Chainguard Actions and Chainguard Agent Skills.
Lorenc took nonstop purpose astatine GitHub Actions' information model, pointing retired however hard it is for adjacent diligent teams to verify that a marketplace enactment is trustworthy oregon correctly scoped. He cited examples wherever actions pulled distant scripts oregon binaries astatine runtime, oregon contained shell‑injection risks that could leak tokens successful analyzable pipelines, patterns reminiscent of real‑world attacks similar the GitHub‑hosted HackerBot/Flaw campaigns.
Chainguard Actions are "secured by default, drop‑in replacements of upstream GitHub Actions," built and continuously hardened successful the factory, with tests auto‑generated to guarantee that information fixes don't interruption behavior. To follow them, Lorenc said, customers tin "replace [the upstream org] with chainguard‑dev" successful their workflows and past usage a azygous GitHub mounting to restrict usage to Chainguard's curated set.
Also: I got 4 years of merchandise improvement done successful 4 days for $200, and I'm inactive stunned
Kirkland suggested akin problems are emerging successful the fast‑moving satellite of AI agent skills. These markdown bundles encode tools and champion practices for AI agents. Kirkland loves cause skills. The infinitesimal AI became portion of his "day‑to‑day workflow" was erstwhile helium could inquire Claude "to encapsulate this acceptable of champion practices… things that I privation my teams and my developers and my managers and our engineers to do. Encapsulate that arsenic a skill, and past provender that accomplishment into the cause and say, this is the close mode to bash things." That's the bully broadside of agents. The atrocious is that each excessively often, AI cause skills, similar those shared successful Moltbook, are filled with malicious capabilities.
To combat this issue, Kirkland explained that Chainguard has encapsulated "a mates of hundred" of these skills and is present making a curated, hardened subset disposable to customers arsenic Chainguard Agent Skills, truthful teams tin plug the capabilities straight into bundle physique and reappraisal processes without worrying that a compromised accomplishment mightiness present vulnerabilities oregon exfiltrate data: "That's what we're insulating our customers against."
Perhaps the astir ambitious announcement was Chainguard Gardener. This GitHub app brings pieces of Chainguard's mill into lawsuit repositories. Once installed, Gardener scans selected repos for Dockerfiles, room dependencies, AI skills, and different artifacts that could beryllium replaced with Chainguard‑secured equivalents, past automatically opens propulsion requests to migrate, update tests, and support dependencies current.
Also: 10 ChatGPT Codex secrets I lone learned aft 60 hours of brace programming with it
"The Gardener tin perpetually look done immoderate of the repositories you determine to hook it up to," Kirkland explained. "It tin place artifacts that could beryllium secured utilizing Chainguard artifacts. So it tin look astatine Dockerfiles and find images that could beryllium Chainguard. It'll look astatine libraries that applications are utilizing that could beryllium Chainguard… [and] the skills and the agents that could beryllium Chainguard." The idea, helium said, is to springiness customers "a truly bully flywheel," Chainguard's ain champion practices, continuously applied wrong their bundle improvement beingness cycle.
Looking ahead, some Lorenc and Kirkland said they spot the developer relation itself changing rapidly. "The aboriginal of bundle improvement is… changing close earlier our eyes," Kirkland said, arguing that the caller products unneurotic connection "everything that an endeavor oregon a developer needs to thrust that question to propulsion things further, faster, much secure." Lorenc was adjacent blunter: "This was the champion clip successful past to beryllium penning software, but it's besides the worst time… The bottleneck isn't codification anymore. It's establishing trust." He's not wrong.
English (US) ·