Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Chainguard targets open-core programs, GitHub Actions, and agent skills.
- The approach starts with its new AI-powered Chainguard Factory 2.0.
- The company is launching new safety-first programmer services.
From the stage of the Chainguard Assemble 2026 event in Manhattan, programming security company Chainguard Co‑Founder and CEO Dan Lorenc pulled up an audience member to saw a piece of wood with an old-fashioned handsaw. It did not go well, but the wood was cut eventually. Then, Lorenc pulled out a small power saw and cut the same piece in a few seconds. He then said, “It’s hard to make mistakes with manual tools because you’re going slower, while [AI] power tools are a lot more fun, but they’re also a lot more dangerous. We lose a lot more fingers.”
In short, we must learn to use power tools safely — and that’s what Chainguard is attempting to do. Lorenc framed the moment as an industry transition from “hand woodworking” to power tools and then to fully automated assembly lines, with AI agents driving much of the change. “In the next 12 months, the majority of code is going to be written by something different and something new,” Lorenc said. The only way to keep up with AI‑accelerated attackers is to automate away the traditional 30/60/90‑day patch cycle and start from systems that are secure by design.
To achieve that target, Chainguard has moved its methodology for automatically building operating system and application images from a brittle one to Chainguard Factory 2.0. Factory 2, the company suggested, has already removed more than 1.5 million vulnerabilities from customer production environments, up from 270,000 a year ago, by continuously rebuilding and repatching its images and packages from source.
Also: Why AI is both a curse and a blessing to open-source software – according to developers
Chainguard Factory 2.0 is a reconciling, AI‑driven pipeline that pushes the company’s catalog toward a desired state, whether that means zero known Common Vulnerabilities and Exposures (CVEs), passing a particular QA suite, or meeting performance or size constraints.
To achieve this state, Dustin Kirkland, Chainguard’s SVP of engineering, explained in an interview with ZDNET, “We invested early and often with multiple different AI models, OpenAI, Claude, and Gemini.” Early agents only succeeded “50–60%” of the time, he noted, but the misses became training data: “We could take the exhaust — the things that didn’t work — go and fix that, and then feed that back into the model. And things just got better.”
The turning point, said Kirkland, was the company’s Driftless agentic framework, which “really plumb[ed] the reconciler model directly into the factory itself.” He continued: “Here we get the self‑healing mode… we decide what we want the end state to be… and then the reconciler will basically just run in a loop solving problems until it meets those criteria.”
Also: AI is getting scary good at finding hidden software bugs – even in decades-old code
That mode is a lot better than what Lorenc described as a fragile, event‑driven Continuous Integration (CI) pipeline held together by “duct tape and baling wire” to a Kubernetes‑style reconciler pattern where agents continuously nudge reality toward a target description. Thanks to agents tracking upstream releases, Chainguard can monitor more than twice as many packages as before, securing and producing them in far less time.
For developers who want to produce safe, useful programs, that fresh approach means Chainguard is offering more than half a dozen new and improved services.
Embracing self-service
At the base of this stack is Chainguard OS. Chainguard said this Linux distribution is “fully bootstrapped from source” and not a derivative of Debian, Fedora, or other mainstream foundational Linux distributions that lag behind the latest patch releases. Using Chainguard OS, companies can now build their own bug-free custom Linux distributions, Kirkland said: “Customers can build any image they want from those packages… in any combination that they want.”
He framed the shift as part of a broader push toward developer self‑service: “Developers can obtain the software they need at the speed that they need it — which is now.”
Also: Is Perplexity’s new Computer a safer version of OpenClaw? How it works
Chainguard’s container catalog remains its flagship product, and Product SVP Patrick Donahue highlighted that the company is now building more than 2,200 upstream projects into container images and maintaining over 30,000 OS packages. Donahue said that this amount is “an order of magnitude bigger than anybody else.”
To make its products more accessible, Chainguard introduced a free ChainGuard Catalog Starter tier. This tier gives users a choice of five free images. The tier is for developers who want to “give it a taste” and scale up later. Kirkland called this approach “leaning into developer self‑service,” giving engineers “access to five images at no charge” so they can get going without talking to sales.
More strategically, the company is moving beyond open‑source images into what it calls Chainguard Commercial Builds. These are secure, Chainguard‑built images for commercial and open‑core software, such as GitLab Enterprise, Elastic, or NGINX. Kirkland explained: “Increasingly, we’ve had customers who come to us with either shared source models or commercial open‑source models… ‘How can we use Chainguard in our proprietary builds?’ And the answer unequivocally is yes.”
In these deals, Kirkland said Chainguard provides “the secure compiler and language runtimes and all of those libraries that it takes to build that image,” giving vendors a hardened, zero‑CVE‑SLA base while allowing them to keep their proprietary IP closed. He predicted this approach “will revolutionize a bunch of the software out there that is distributed, built on top of a Debian or Fedora or an Alpine by offering a safe, secure, hardened, zero CVE alternative.”
On the language side, Chainguard secures upstream repositories such as PyPI, Maven Central, and npm, where Donahue said more than 450,000 new malicious packages were observed across major registries in 2025. That’s almost one per minute, if you’re counting.
Also: 7 AI coding techniques I use to ship real, reliable products – fast
The company now claims about 96% coverage of Python dependencies, over a million Java artifact versions, and nearly 90% of the top 500 npm dependencies by download volume, with factory automation pointed at Java and JavaScript after Python. Given that many popular open-source repositories have been poisoned with malicious code, it’s high time someone provided clean, secure programs.
To make consumption easier, Chainguard has launched the Chainguard Repository, its own artifact repository fronting those curated libraries. Instead of configuring every developer to fall back directly to upstream registries, customers can point CI and AI coding agents at the Chainguard Repository and enforce policies such as license allow‑lists or a “cool‑down period” that blocks brand‑new libraries for a configurable number of days, allowing time for malware to be detected.
For customers with heavy usage or constrained bandwidth, Kirkland emphasized that Chainguard will “continue to work with Artifactory and Cloudsmith and others and publish into those artifact registries,” and that these repositories can be mirrored in‑house to avoid hammering public services. That capability also reduces the load on struggling open‑source mirrors that “literally cannot afford the bandwidth quotas.”
Security and skills
Recognizing that CI systems are now among the most sensitive parts of the software supply chain, Chainguard unveiled two new product families: Chainguard Actions and Chainguard Agent Skills.
Lorenc took direct aim at GitHub Actions’ security model, pointing out how difficult it is for even diligent teams to verify that a marketplace action is trustworthy or correctly scoped. He cited examples where actions pulled remote scripts or binaries at runtime, or contained shell‑injection risks that could leak tokens in complex pipelines, patterns reminiscent of real‑world attacks like the GitHub‑hosted HackerBot/Flaw campaigns.
Chainguard Actions are “secured by default, drop‑in replacements of upstream GitHub Actions,” built and continuously hardened in the factory, with tests auto‑generated to ensure that security fixes don’t break behavior. To adopt them, Lorenc said, customers can “replace [the upstream org] with chainguard‑dev” in their workflows and then use a single GitHub setting to restrict usage to Chainguard’s curated set.
Also: I got 4 years of product development done in 4 days for $200, and I’m still stunned
Kirkland suggested similar problems are emerging in the fast‑moving world of AI agent skills. These markdown bundles encode tools and best practices for AI agents. Kirkland loves agent skills. The moment AI became part of his “day‑to‑day workflow” was when he could ask Claude “to encapsulate this set of best practices… things that I want my teams and my developers and my managers and our engineers to do. Encapsulate that as a skill, and then feed that skill into the agent and say, this is the right way to do things.” That’s the good side of agents. The bad is that all too often, AI agent skills, like those shared in Moltbook, are filled with malicious capabilities.
To combat this issue, Kirkland explained that Chainguard has encapsulated “a couple of hundred” of these skills and is now making a curated, hardened subset available to customers as Chainguard Agent Skills, so teams can plug the capabilities directly into software build and review processes without worrying that a compromised skill might introduce vulnerabilities or exfiltrate data: “That’s what we’re insulating our customers against.”
Perhaps the most ambitious announcement was Chainguard Gardener. This GitHub app brings pieces of Chainguard’s factory into customer repositories. Once installed, Gardener scans selected repos for Dockerfiles, library dependencies, AI skills, and other artifacts that could be replaced with Chainguard‑secured equivalents, then automatically opens pull requests to migrate, update tests, and keep dependencies current.
Also: 10 ChatGPT Codex secrets I only learned after 60 hours of pair programming with it
“The Gardener can constantly look through any of the repositories you decide to hook it up to,” Kirkland explained. “It can identify artifacts that could be secured using Chainguard artifacts. So it can look at Dockerfiles and find images that could be Chainguard. It’ll look at libraries that applications are using that could be Chainguard… [and] the skills and the agents that could be Chainguard.” The idea, he said, is to give customers “a really nice flywheel,” Chainguard’s own best practices, continuously applied inside their software development life cycle.
Looking ahead, both Lorenc and Kirkland said they see the developer role itself changing rapidly. “The future of software development is… changing right before our eyes,” Kirkland said, arguing that the new products together offer “everything that an enterprise or a developer needs to ride that wave to push things further, faster, more secure.” Lorenc was even blunter: “This was the best time in history to be writing software, but it’s also the worst time… The bottleneck isn’t code anymore. It’s establishing trust.” He’s not wrong.
