Chainloop Joins Chainguard Commercial Builds

We’re excited to announce that Chainloop has joined Chainguard’s Commercial Builds program, a new initiative that brings the same hardened, minimal, and secure-by-default container images Chainguard is known for to commercial software vendors and their customers.

In the modern era of software development, containers have become the default package for cloud-native applications deployed in production environments. Enterprises need container images to be hardened, minimal, and built with security best practices in mind. They require all of the software they run — whether open source or commercial — to meet the same modern security and compliance bars: provenance, SBOMs, predictable vulnerability response, and compliance readiness.

Meeting those expectations, however, has proven difficult for both vendors and customers.

The Challenge of Delivering Secure Container Images

At Chainloop, our customers deploy primarily on-premises in highly regulated environments such as financial services, defense, and critical infrastructure. In these environments, container images must meet a very high bar for security, compliance, and operational consistency before they can be approved for production use.

That challenge is not unique to Chainloop. Delivering commercial software as container images has become significantly more complex across the industry. Customer environments vary widely across Linux distributions, hardened golden images, and internal platform standards. Supporting every environment directly is unrealistic, and asking customers to rebuild, harden, and maintain vendor images themselves creates friction, delays deployments, and inconsistent outcomes.

FIPS readiness is another important requirement for many of our customers. Before Chainguard, we did not have a strong path to deliver FIPS-ready images. With Chainguard, we do.

We’re partnering with Chainguard to meet our customers where they’re already deploying, giving them a consistent, trusted experience across their entire software stack.

About Chainguard Commercial Builds

Chainguard Commercial Builds introduces a modern model for packaging commercial software.

We work directly with Chainguard, who packages and maintains our commercial software in the Chainguard Factory — a secure, SLSA Level 3-compliant system, designed to deliver minimal attack surface, zero CVEs, full provenance, SBOMs, and predictable vulnerability response.

This partnership means we can deliver the security, compliance, and ease of use our customers demand while letting Chainguard handle the burden of securely building and maintaining container images with the latest dependencies — so you can have wall-to-wall coverage across your stack.

What This Means for Customers

Chainloop focuses on a centralized governance layer for the entire software delivery life cycle, while Chainguard focuses on secure-by-default containers.

Together, customers get Chainloop built on a Chainguard Image, coming from the most secure software supply chain factory on the market — more specifically, Chainloop Images delivered with minimal, hardened images, SBOMs, zero CVEs, full provenance, signatures, FIPS readiness, and SLAs for remediation.

The result is a stronger path to production: less deployment friction, lower operational burden, and a more consistent security and compliance posture across the stack.

Your teams can focus on getting value from Chainloop, rather than maintaining the layers beneath it.

Together, Chainguard and Chainloop help organizations build a software factory that is secure by default and governable by design.

Modernize Your Software Factory with Chainloop

Chainloop collects and stores every signal from your software delivery lifecycle — attestations, SBOMs, vulnerability scans, build provenance, test results — in a single, cryptographically protected source of truth. Every piece of evidence is signed, timestamped, and tamper-proof, giving your organization a verifiable record of how every artifact was built, tested, and approved.

On top of that evidence layer, Chainloop lets you define guardrails, automate policy enforcement, and govern delivery consistently across pipelines, teams, and environments. Declarative, GitOps-ready, and built for regulated environments, Chainloop stores all evidence in your own cloud storage and gives teams one place to both collect the evidence and enforce the rules.

Chainguard ensures that the container images you consume come with attestations, SBOMs, provenance, and signatures. Chainloop ensures those same trust signals are collected, verified, and enforced across every stage of your own software delivery process — from source to production.

Built on an open-source foundation, Chainloop gives you full transparency into the governance layer you’re adopting — inspect the code, evaluate the architecture, and de-risk adoption on your own terms.

Get Started

Chainloop images built by Chainguard will be available before the end of March. Reach out if you’d like early access or want to discuss how this fits into your environment.

• Book a demo to see Chainloop in action
• Explore Chainloop on GitHub
• Browse the Chainguard Image Directory