Jacar mascot — reading along A laptop whose eyes follow your cursor while you read.
Tecnología

Chainguard Images: Minimal and Signed Images

7 min read 65 reads
Chainguard Images: Minimal and Signed Images
Table of contents
  1. Key takeaways
  2. What they offer
  3. Typical usage: multi-stage Dockerfile
  4. Verification with cosign
  5. Chainguard vs Alpine
  6. When it makes sense
  7. Conclusion

Actualizado: 2026-05-03

Chainguard[1] is the company from Sigstore’s creators, focused on practical supply chain security. Its main product is Chainguard Images: Docker images built with extreme rigour — zero known CVEs, signed SBOMs, reproducible builds. For enterprises with strict compliance or wanting to reduce attack surface, they are a serious alternative to debian:latest or alpine:latest.

Key takeaways

  • Zero known CVEs at publication time: images are rebuilt daily.
  • Sigstore/Cosign-signed SBOMs included out of the box: cryptographic verification without extra steps.
  • Based on Wolfi, Chainguard’s own glibc distribution, avoiding Alpine’s musl incompatibilities.
  • The free tier covers the most popular latest images; pinned versions and SLA support are enterprise.
  • Distroless without a shell is the production variant; the -dev variant adds build tools for multi-stage use.

What they offer

Each Chainguard image is: minimal (only what’s needed to run the app), zero known CVEs (daily rebuilds, fixes in hours), Sigstore-signed (verifiable cryptographically), automatically generated and signed SBOMs, and reproducible builds (deterministic hash given the same input).

Typical usage: multi-stage Dockerfile

dockerfile
FROM cgr.dev/chainguard/node:latest-dev AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci && npm run build

FROM cgr.dev/chainguard/node:latest
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
CMD ["node", "dist/index.js"]

Result: ~100 MB runtime vs ~200-300 MB official Node. No shell, no npm, no wget in production.

Verification with cosign

bash
cosign verify cgr.dev/chainguard/node:latest 
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com 
  --certificate-identity-regexp='.*chainguard.*'

This cryptographic verification closes the loop between who built the image and which pipeline was used.

Chainguard vs Alpine

Chainguard uses Wolfi with standard glibc, which eliminates the class of DNS resolution, locale handling, and threading incidents that occasionally bite Alpine’s musl libc.

When it makes sense

It makes sense when: the organisation has strict compliance (PCI-DSS, HIPAA, FedRAMP), supply chain security is a high priority, CVE reduction is an ESG reporting metric, or production workloads handle sensitive data.

Less sense for: personal projects, legacy apps with dependencies not covered in Wolfi’s catalogue, or teams without capacity to manage pinned image lifecycle.

Conclusion

Chainguard Images represent where the enterprise container ecosystem is heading: minimal, signed, updatable, auditable. For companies with compliance or valuing serious supply chain security, the migration cost pays back quickly in reduced audit work and risk metrics. The free public tier allows commitment-free evaluation. Against Docker Hub’s “latest” official images, the difference in CVE count and risk profile is tangible from the first scan.

Was this useful?
[Total: 14 · Average: 4.2]
Post Views: 65
  1. Chainguard

Written by

CEO - Jacar Systems

Passionate about technology, cloud infrastructure and artificial intelligence. Writes about DevOps, AI, platforms and software from Madrid.

440 Articles 35K Reads Rating

Related posts

Industria 4.0

Collaborative robotics on the factory floor: 2026 balance sheet

Los cobots llevan casi quince años prometiendo la fábrica donde humanos y robots comparten espacio sin vallas. En 2026, con un mercado camino de los once mil millones y el 70% de los pedidos llegando desde fuera del automóvil, conviene revisar qué ha cumplido y qué sigue pendiente.

82 12 min 4.4