Remediating container image vulnerabilities (for images where Chainguard could not be used)Keeping images up to date throughout CI/CDOur Philosophy: Platform Engineering for Security
Our customers require FedRAMP. FedRAMP requires enterprise-grade security. As a startup, we were faced with the challenge of reducing over With 21,500+ CVEs published in H1 2025 alone (DeepStrike), remediation velocity determines your security posture. Most startups are weeks behind. We needed to be We experienced pain points common to nearly every engineering team:
invisible.
Three Techniques That Made the Difference
Chainguard is our trusted partner for secure-by-default container images. Most default Docker base images are riddled with vulnerabilities, many of which go unremediated for years or even weeks. We cryptographically pin our images to a specific SHA-256 digest, so when upstream patches a CVE–often within 24 hours–we receive a new digest to pin against.
Result: Our base images carry 0-3 CVEs vs. 100-300 in typical Debian images.
Most CVEs hide in transitive dependencies—packages you didn't install directly. We built an override system that patches these dependencies at build time, without waiting for upstream maintainers.
Result: Minutes to remediate vs. industry-standard weeks.
We run multiple independent vulnerability scanners on every build. Research shows each scanner catches 10-15% of CVEs the others miss. Best of all in our setup, results are fully integrated into GitHub–surfacing in the GitHub Security dashboard and commented directly on every pull request.
Result: Higher coverage with zero context switching for developers.
20+ services secured with this pipelineZero critical CVEs in productionZero developer friction — security is invisibleMinutes to remediate vs. industry-standard weeks
We're packaging this as a toolkit for other developer teams using Chainguard who are managing CVEs and navigating container security compliance.
Interested? Request our toolkit →