The Problem
GovSignals is building an AI platform to modernize government procurement—enabling more companies to sell to the government while helping agencies save taxpayer dollars. Our customers include federal government agencies and many of the world’s largest defense and government contractors.
Our customers require FedRAMP. FedRAMP requires enterprise-grade security. As a startup, we were faced with the challenge of reducing over 10,000 CVEs across 20+ container images in just two weeks. Many startups find themselves in similar situations.
With 21,500+ CVEs published in H1 2025 alone (DeepStrike), remediation velocity determines your security posture. Most startups are weeks behind. We needed to be minutes behind.
We experienced pain points common to nearly every engineering team:
- Remediating container image vulnerabilities (for images where Chainguard could not be used)
- Remediating library and external code vulnerabilities
- Keeping images up to date throughout CI/CD
- Knowing what’s vulnerable–for every new PR and for what’s running in production today
Our Philosophy: Platform Engineering for Security
Traditional security creates friction: developers want to ship fast, security wants to apply the brakes. We eliminated that friction by making security invisible.
- Developers never leave GitHub — Results appear in the Security tab and PR comments
- Zero configuration — Add a Dockerfile and scanning starts automatically
- No manual triage — Multiple scanners catch different CVE types, with results pre-organized
Three Techniques That Made the Difference
1. Chainguard Base Images
Chainguard is our trusted partner for secure-by-default container images. Most default Docker base images are riddled with vulnerabilities, many of which go unremediated for years or even weeks. We cryptographically pin our images to a specific SHA-256 digest, so when upstream patches a CVE–often within 24 hours–we receive a new digest to pin against.
Result: Our base images carry 0-3 CVEs vs. 100-300 in typical Debian images.
2. Build-Time Dependency Remediation
Most CVEs hide in transitive dependencies—packages you didn't install directly. We built an override system that patches these dependencies at build time, without waiting for upstream maintainers.
Result: Minutes to remediate vs. industry-standard weeks.
3. Multi-Scanner CI/CD with PR Integration
We run multiple independent vulnerability scanners on every build. Research shows each scanner catches 10-15% of CVEs the others miss. Best of all in our setup, results are fully integrated into GitHub–surfacing in the GitHub Security dashboard and commented directly on every pull request.
Result: Higher coverage with zero context switching for developers.
Results
- 20+ services secured with this pipeline
- Zero critical CVEs in production
- Zero developer friction — security is invisible
- Minutes to remediate vs. industry-standard weeks
Want our toolkit?
We're packaging this as a toolkit for other developer teams using Chainguard who are managing CVEs and navigating container security compliance.
Interested? Request our toolkit →
What’s next?
We’re just getting started on accelerating our security practices. Here at GovSignals, we view security as a growth engine – Conner Aldrich, our CTO, discussed this perspective on a recent Chainguard Panel.
Our team is now exploring more intelligent remediation loops by integrating Claude Code, a custom MCP server, and proactive vulnerability discovery.
