Chainguard VMs reduces risk and engineering complexity

Chainguard announced Chainguard VMs, a new product line offering minimal, zero-CVE virtual machine images built entirely from source.

Purpose-built for modern, ephemeral workloads in the cloud, Chainguard VMs represent a stark contrast to the legacy, general-purpose VMs that dominate the market today.

Chainguard VMs are guarded container host images, which offer a cloud-agnostic, threat-resistant environment for deploying and running containers. Chainguard VMs will help enterprises reduce costly engineering toil associated with container host maintenance and establish a secure foundation for faster development.

The growing need for secure container host environments

As enterprises continue to migrate to cloud-native architectures, containerized applications have become the standard for modern software deployment. To successfully run containerized applications, enterprises require a container host — a purpose-specific virtual machine that provides the necessary runtime environment for container execution.

Historically, enterprises have relied on general-purpose servers from incumbent Linux distribution providers for their container hosts. These legacy servers often contain large volumes of common vulnerabilities and exposures (CVEs) and excess components not required for a container host, leading to engineering toil related to managing CVEs. These incumbent Linux distributions also bundle all the components a general-purpose server might need into infrequent, major software releases.

This approach does not align with modern requirements for container hosts, which are ephemeral workloads that involve constant teardowns and updates. Instead of introducing software that is secure-by-design, legacy container hosts rely on slow, reactive patching and costly, resource-intensive migrations to new major software versions.

“Our customers need solutions that reduce vulnerabilities at every layer of their modern software deployment stack,” said Dan Lorenc, CEO at Chainguard. “Today, we’re bringing Chainguard’s expertise in building minimal, zero-CVE containers to the VMs they run on. No other company is delivering a minimal, continuously updated, and threat-resistant software supply chain with end-to-end integrity.”

Chainguard VMs unlock business value with zero-CVE security

Chainguard VMs extends Chainguard’s existing product portfolio — alongside Chainguard Containers and Chainguard Libraries— and reinforces its commitment to delivering a secure and efficient software deployment stack. Container host images in Chainguard are purpose-built for each major cloud service provider, with varieties for managed container services like Amazon EKS or for self-managed container deployments on Amazon EC2, Google Compute Engine, or Microsoft Azure.

This gives enterprises a consistent, minimal, secure, and continuously updated foundation for running containerized applications in any cloud environment. Free of the constraints that legacy vendors of general purpose VMs impose on customers, Chainguard VMs provide tangible benefits across engineering, compliance, and security teams:

• Reduced engineering overhead: Chainguard’s minimal, zero-CVE container host images eliminate the time-consuming burden of CVE triage and remediation, freeing engineers to focus on higher-priority tasks.
• Continuous compliance: Compliance frameworks, such as FedRAMP, require organizations to eliminate CVEs in their VMs, including container hosts. Chainguard simplifies and accelerates compliance efforts with its zero-CVE approach.
• Secure open source foundation: By standardizing container host deployments on Chainguard, organizations benefit from a reduced attack surface, minimal CVEs, and end-to-end integrity for all deployed software components.
• Continuous open source upgrades: Chainguard continuously rebuilds images from source, ensuring customers receive the latest features, security patches, and performance enhancements from upstream maintainers — without requiring disruptive migrations.

“Chainguard is a turnkey solution for reducing threat surface area and patching burdens on engineering teams,” said Rob Gil, Senior Director, Federal Architecture at Okta. “Chainguard has built a distroless-as-a-service product that has created a zero-CVE, drop-in replacement for all of the bloated open source containers. We’re excited to see how Chainguard VMs can equip us with the same experience for secure host images across multiple cloud providers that we’ve come to expect for containers.”

“Among enterprises, efficiency is often second only to security. That’s been true for a long time, but it’s especially true as more teams move toward ephemeral, cloud-first infrastructure,” said Ryan J. Salva, Senior Director, Product Management, Developer Tools and Operations at Google. “Chainguard’s approach to reducing risk is smart. By validating the supply chain and building images in high-trust environments, they take one more risk out of the equation. I’m grateful to have them as a Google partner, and genuinely excited to see what they build next.”

“Companies are increasingly looking for ways to reduce the operational burden of managing container hosts while improving their security posture,” said KellyAnn Fitzpatrick, Senior Industry Analyst at RedMonk. “By delivering a minimal, purpose-built foundation that aligns with how modern cloud-native workloads run, Chainguard VMs aims to address a critical gap in modern software deployment and offer organizations a way to enhance security, reduce patching toil, and streamline compliance in multi-cloud environments.”

Chainguard VMs is now available in early access.