Chainguard Images

What do you like best about the product?

There is a good catalog of fips compliant images, and they support customization by adding packages directly to a base image.

What do you dislike about the product?

Some image were missing which complicated the process of migrating all our services.

What problems is the product solving and how is that benefiting you?

It is helping us achieve fedramp high which expands our client base.

What do you like best about the product?

Chainguard zero- and minimum-vulnerability containers help us deliver secure services and products to our customers with less effort and reduced cybersecurity risk. These containers are a 1-to-1 replacement for existing publicly available containers, and they integrate easily into our development pipelines with no additional effort.

What do you dislike about the product?

Chainguard containers are expensive. However, when I consider how many staff hours go into building and maintaining hardened, low-vulnerability containers for applications, the cost does pay off.

What problems is the product solving and how is that benefiting you?

Chainguard helps reduce cybersecurity risks and the effort associated with our applications by providing secure open-source containers. This, in turn, lowers our need to build and maintain low-vulnerability forks of open-source packages.

What do you like best about the product?

I like the hardened images and their support for debugging and other channels. I appreciate the vLLM and OSS support along with the images that we need major upgrades for. I also like their release cadence and find their customer support to be good. I value the minimal, hardened, continuously patched base images that work with vLLM, which has a fast release cadence and evolving dependencies. I also like the immutable image tags, SBOM, and continuous rebuild features.

What do you dislike about the product?

I find the lack of easy migration guides and more FDE support frustrating. Also, the initial setup was problematic for GPU services as core NVIDIA images are not supported.

What problems is the product solving and how is that benefiting you?

I use Chainguard for hardened images, better CVE metrics, securing workloads without root access, and aligning with compliance requirements.

I have been working in my current field for the last five and a half years. I have been evaluating Chainguard Containers  for the last three months.

I was looking for security and compliance, supply chain integrity in our containers. We have heavy workloads which require security maintenance, and we wanted to reduce the burden on it. That is why we need something for debugging, traceability, and auditable builds. That is why we use Chainguard Containers .

I am currently using this tool and testing the log integrity and having all the security monitoring of the containers to ensure that there is no unusual case happening within containers. We are always using the container processing all the right traffic for us. Apart from it, I am just checking how much processing power it requires to handle the concurrency accordingly. I am also evaluating other tools, but Chainguard Containers is kind of becoming a permanent tool in our evaluation right now.

For security monitoring, I am using Chainguard Containers right now as an adapter functionality to my respective pod. What is happening is that we are basically pulling the logs of all the containers and auditing those logs with the help of Chainguard Containers and basically understanding exactly how our containers are behaving. A few things I liked about it are how easily Chainguard Containers documentation is to go through, and the integration was a bit seamless compared to other monitoring tools. Comparatively, I have tested a lot of tools such as DataDog, Snyk , and Wiz , and I found Chainguard Containers documentation a bit more comfortable. Apart from it, there are a lot of places where I found Chainguard Containers could have improvised, but throughout my experience right now, it felt a bit seamless compared to others. I am basically using it for logging and metrics or basically understanding of the auditing.

The best feature of Chainguard Containers is being distroless. That means I am a minimalist. I am a fan of having a minimalistic view in front of me and looking at the right dataset in front of me instead of GUI effects or a lot of animations in front of me. That is where I found Chainguard Containers delivers. There was a lot of less vulnerability, CVE counts in Chainguard Containers comparatively to other tools. The main thing I liked about it is that they follow the SBOM process and the continuous rebuilds they were doing, and they were helping me to rapidly remediate the failures which were happening. This was something I liked about it because the images are much more leaner and it helps me to reduce noise, which is kind of a thing I look for in microservices.

Sometimes if you are using the latest image, instability comes. However, if you are using a bit older image, I think that is more stable. Chainguard Containers is much more stable comparatively to others.

There are a lot of certain points where I feel that having the functionality of having debugging and ensuring that if I like, I can have the dependence of things where things I felt were lacking. Overall, the tool itself is kind of a great start for my evaluation. Because we are currently evaluating, we will have much more of an understanding of this tool again in the near future.

If you talk about the concurrent processing, there is some bit of mismanagement happening in Chainguard Containers, which I do not like about it and which is kind of a deal breaker for me. On terms of scalability, because it is hosted on Kubernetes , there is no issue with the scaling and handling the infrastructure. However, when it comes to processing, there is a kind of a bit of a delay which happens. For most customers, this will not be relevant because what we deal with is the concurrency, and for us, every microsecond counts. So for our use case, perhaps that is a limitation, but for the overall market, I do not think that will be a great limitation for them.

I'll say that having debugging possibilities can actually help to improvise Chainguard Containers more because as a product, I see a lack of visibility on that. Perhaps I might be wrong. I do not know exactly the way to do it. I am still in the evaluation process. That is one thing. The second thing is that there were no quick fixes available. That is problematic because if you are not able to configure it yourself, you should be able to get those quick fixes right away so that you can continue with your work. You need a detailed discipline if you want to debug those things because it is kind of a mess when you start debugging these containers when they fall. That is why I am still evaluating tools where I can get the balance of both.

Sometimes there are backend errors which we come across again and again, and there is a resolution, but there are pending tickets for it. That sucks sometimes. For now, I am just on the evaluation phase. I have not yet integrated with the real pipelines. So that is not a challenge for us, but in the near future, if we integrate it, that will be a real bottleneck for us if we are actually dealing with it.

The customer support, for me, was not great. It was okay. The response is saved and versus the solution received, it was not that much. I'll say that they have to improvise a lot on the customer support. The key thing, customer obsession is one of AWS 's major things. If you are not following it thoroughly, then you will not be in the market. A faster product support team response would be really great.

We used to use multiple solutions, but we are not switching right now. We have not made the decision yet. So, it will be difficult for me to tell right now. I am evaluating it right now, but for more results and less noise.

Initially, we had a lot of images which were kind of very heavy and outdated, which I replaced with the help of Chainguard Containers distroless. Apart from it, I am continuously testing on CI builds, not yet finalized yet. The overall PR processing time is lower than others which I have tested right now. That is kind of a plus gain for us as well because we try to automate as much as possible. Having a reduced timeline accordingly helps us to navigate.

It is an early stage to comment about it. However, based on the numbers I have, I'll say it definitely reduced my overall team's hours and cost spent on them. Definitely it will be a positive trend for me if I integrate it in my tool. However, considering the cost it incurs, I have to check exactly what it bills and basically how much time it saves. Occasionally, for a larger team, if they want to integrate it and they have, they have to put in fewer hours comparatively. So it will be a great tool to invest in.

Currently, we are not paying for it. We are just evaluating right now, but we will get in discussion for that pricing and setup cost. So I cannot comment on that.

We used to use multiple solutions, but we are not switching right now. We have not made the decision yet. I am evaluating it right now, but for more results and less noise.

I was evaluating a lot of options. We are evaluating DataDog tools, Snyk , Wiz , and some other two companies as well. There are a lot of competitors for Chainguard Containers we are evaluating. For now, I cannot disclose that information, but Chainguard Containers is kind of a prominent service among the other competitors.

Chainguard Containers on its own, the tool is great. The only thing I liked about Chainguard Containers is that the secured by default philosophy they have. That is where I really got connected to it because being a DevSecOp, this is something we look for from the scratch, because there are a lot of pods that are running inside our infrastructure. I want that to ensure that no pod is going nuts and ensuring that all the data log that is being processed is being processed as a productive workload, not as some hackers' attempts.

I am yet to get it to production right now because I am still in the evaluation phase. I am deliberately checking it out. It is a positive candidate for us to leverage it. However, for now, I have not yet decided because I am continuously evaluating its competitor as well. The good part I love about it is that it has zero CVE alerts, SBOM in it. That is something I loved about it, but there are a few things that I actually did not like about it. There were some problems which occurred, and there were no quick fixes. I have to wait for a longer duration, the SLA is a long wait. Basically, there is no shell support, and I have to get time to debug the things. That is where I felt the freedom of having a dev environment, where basically I should be able to debug on my own, was something lacking.

However, as a product, as a SaaS platform, if I integrate it to my platform, having a distroless image, is something that is cool. It helps to improve the team efficiency overall. However, as an individual person, I would love if there is some configurability there as well from a DevSecOps  standpoint.

I'll say that if you need a distroless container-based system where basically you do not want to increase your size of image just because you want to secure your infra, then Chainguard Containers is a very good product to evaluate because it has less noise and comparatively to other toolsets. The second thing is, it has SBOM and zero CVE alerts, which is something always every security engineer is looking for. You can scale on Kubernetes , that is the plus point. That is something that makes this a competitive candidate to always have a lookout for.

I have covered my review from the last three months. I will be in a better state to have more discussion if we integrate it. I would rate this product a seven out of ten.

Public Cloud

Amazon Web Services  (AWS)

What do you like best about the product?

I appreciate Chainguard's extensive range of catalog with more than 500 public images to choose from, which significantly enhances my experience by ensuring that an image such as Linkerd is available and likely vulnerability-free compared to other sources like DockerHub. The availability of such a vast selection of images provides us with assurance and flexibility, making it easier to maintain security standards. I value the proactive approach of Chainguard in addressing CVEs by ensuring the images are rebuilt daily, which gives me confidence in their security posture. Additionally, I find the initial setup process to be very easy, and I enjoy the self-management feature allowing me to choose the right images from the catalog effortlessly.

What do you dislike about the product?

It would be great if Chainguard's container registry could sync with AWS ECR so I could use my own private registry instead. I believe it's being worked on though.

What problems is the product solving and how is that benefiting you?

I use Chainguard for vulnerability-free container images, addressing CVE vulnerabilities and rebuilding daily. It offers over 500 compatible public images, enhancing security by avoiding CVE-prone DockerHub alternatives.