Chainguard, the trusted supply for open supply, has a singular view into how trendy organizations truly eat open supply software program and the place they run into threat and operational burdens. Throughout a rising buyer base and an in depth catalog of over 1800 container picture tasks, 148,000 variations, 290,000 photographs, and 100,000 language libraries, and nearly half a billion builds, they’ll see what groups pull, deploy, and keep day-to-day, together with the vulnerabilities and remediation realities that come hand in hand.
That is why they created The State of Trusted Open Supply, a quarterly pulse on the open supply software program provide chain. As they analyzed anonymized product utilization and CVE information, the Chainguard staff seen widespread themes round what open supply engineering groups are literally constructing with and the dangers related.
This is what they discovered:
- AI is reshaping the baseline stack: Python led the best way as the most well-liked open supply picture amongst Chainguard’s world buyer base, powering the trendy AI stack.
- Over half of manufacturing occurs exterior of the most well-liked tasks: Most groups could standardize on a well-recognized set of photographs, however real-world infrastructure is powered by a broad portfolio that extends far past the highest 20 hottest, which they confer with on this report as longtail photographs.
- Recognition does not map to threat: 98% of the vulnerabilities discovered and remediated in Chainguard photographs occurred exterior of the highest 20 hottest tasks. Meaning the most important safety burden accumulates within the less-visible a part of the stack, the place patching is hardest to operationalize.
- Compliance will be the catalyst for motion: Compliance takes many kinds as we speak: from SBOM and vulnerability necessities to trade frameworks like PCI DSS, SOC 2, and laws just like the EU’s Cyber Resilience Act. FIPS is only one instance, targeted particularly on U.S. federal encryption requirements. Even so, 44% of Chainguard prospects run a FIPS picture in manufacturing, underscoring how steadily regulatory wants form real-world software program selections.
- Belief is constructed on remediation velocity: Chainguard eradicated Important CVEs, on common, in beneath 20 hours.
Earlier than we dive in, a notice on the methodology: This report analyzes 1800+ distinctive container picture tasks, 10,100 complete vulnerability situations, and 154 distinctive CVEs tracked from September 1, 2025, by November 30, 2025. Once we use phrases like “high 20 tasks” and “longtail tasks” (as outlined by photographs exterior of the highest 20), we’re referring to actual utilization patterns noticed throughout Chainguard’s buyer portfolio and in manufacturing pulls.
Utilization: What groups truly run in manufacturing
For those who zoom out, as we speak’s manufacturing container footprint seems precisely such as you’d anticipate: foundational languages, runtimes, and infrastructure parts dominate the most well-liked record.
Hottest photographs: AI is reshaping the baseline stack
Throughout all areas, the highest photographs are acquainted staples: Python (71.7% of shoppers), Node (56.5%), nginx (40.1%), go (33.5%), redis (31.4%), adopted by JDK, JRE, and a cluster of core observability and platform tooling like Grafana, Prometheus, Istio, cert-manager, argocd, ingress-nginx, and kube-state-metrics.
This means that prospects function a portfolio of vital constructing blocks – together with languages, gateways, service mesh, monitoring, and controllers – that collectively type the inspiration of their enterprise.
It is not shocking to see Python main the best way globally, because the default glue language for the trendy AI stack. Groups usually standardize on Python for mannequin growth, information pipelines, and more and more for manufacturing inference providers as nicely.
Hottest by area: Related foundations, completely different longtail combine
North America reveals a broad and constant set of default manufacturing constructing blocks: Python (71.7% of shoppers), Node (56.6%), nginx (39.8%), go (31.9%), redis (31.5%), plus sturdy penetration of Kubernetes ecosystem parts (cert-manager, istio, argocd, prometheus, kube-state-metrics, node-exporter, kubectl). Notably, even utility photographs like busybox present up meaningfully.
Outdoors North America, the identical core stack seems, however the portfolio spreads otherwise: Python (72% of shoppers), Node (55.8%), Go (44.2%), nginx (41.9%), and a noticeable presence of .NET runtimes (aspnet-runtime, dotnet-runtime, dotnet-sdk) and PostgreSQL.
The longtail of photographs is essential to manufacturing, not edge instances
Chainguard’s hottest photographs characterize just one.37% of all obtainable photographs and account for roughly half of all container pulls. The opposite half of manufacturing utilization comes from in all places else: 1,436 longtail photographs that make up 61.42% of the common buyer’s container portfolio.
In different phrases, half of all manufacturing workloads run on longtail photographs. These aren’t edge instances. They’re core to Chainguard’s prospects’ infrastructure. It is comparatively easy to maintain the highest handful of photographs polished, however what trusted open supply requires is sustaining that safety and velocity throughout the breadth of what prospects truly run.
FIPS utilization: Compliance is a catalyst for motion
FIPS encryption is a necessary expertise within the compliance panorama, targeted on satisfying U.S. federal encryption necessities. And it affords a helpful window into how regulatory strain drives adoption. Within the information, 44% of shoppers run no less than one FIPS picture in manufacturing.
The sample is constant: when working inside compliance frameworks like FedRAMP, DoD IL-5, PCI DSS, SOC 2, CRA, Important Eight or HIPAA, groups want hardened, trusted open supply software program that mirrors their industrial workloads. Essentially the most used FIPS photographs align with the broader portfolio, merely with cryptographic modules strengthened for audit and verification.
Prime FIPS picture tasks embody Python-fips (62% of shoppers with no less than one FIPS picture in manufacturing), Node-fips (50%), nginx-fips (47.2%), go-fips (33.8%), redis-fips (33.1%), plus platform parts like istio-pilot-fips, istio-proxy-fips, and cert-manager variants. Even supporting libraries and crypto foundations present up, corresponding to glibc-openssl-fips.
FIPS isn’t the entire story, but it surely illustrates a broader reality: compliance is a common driver, emphasizing the necessity for trusted open supply throughout your entire software program stack.
CVEs: Recognition does not map to threat
When trying throughout Chainguard’s catalog of photographs, threat is overwhelmingly concentrated exterior of the most well-liked photographs. Of the CVEs Chainguard remediated prior to now three months, 214 occurred within the high 20 photographs, accounting for less than 2% of the overall CVEs. Transcend these high photographs, and you will find the opposite 98% of CVEs Chainguard remediated (10,785 CVE situations). That is 50 occasions the variety of CVEs within the high 20 photographs!
The biggest quantity of CVEs are categorized as Medium, however operational urgency typically stems from how shortly Important and Excessive CVEs are addressed, and whether or not prospects can depend on that velocity throughout their total portfolio, not simply the most typical photographs.
Belief is constructed on remediation velocity
For us, belief is measured in time-to-fix, and Chainguard is aware of that is most vital on the subject of Important CVEs. In the course of the three-month interval analyzed, Chainguard’s staff achieved a lower than 20-hour common remediation time for Important CVEs, with 63.5% of Important CVEs being resolved inside 24 hours, 97.6% inside two days, and 100% inside three days.
Along with Important CVE remediation, the staff addressed Excessive CVEs in 2.05 days, Medium CVEs in 2.5 days, and Low CVEs in 3.05 days, notably sooner than Chainguard’s SLAs (seven days for Important CVEs and 14 days for top, medium, and low CVEs).
And this velocity is not confined to the most well-liked packages. For each single CVE remediated in a high 20 picture venture, they resolved 50 CVEs in less-popular photographs.
That longtail is the place most of your actual publicity hides and it may really feel hopeless making an attempt to maintain up. Most engineering organizations merely cannot allocate sources to patch vulnerabilities in packages that fall exterior their core stack, however the information makes it clear that you must safe the “quiet majority” of your software program provide chain with the identical rigor as your most crucial workloads.
A brand new baseline for trusted open supply
Throughout the info, one takeaway stands out: trendy software program is powered by a large, shifting portfolio of open supply parts, most of which reside exterior the highest 20 hottest photographs. That is not the place builders spend their time, but it surely’s the place the majority of safety and compliance threat accumulates.
This creates a regarding disconnect: it is rational for engineering groups to concentrate on the small set of tasks that matter most to their stack, however the majority of publicity sits within the huge set of dependencies they do not have the time to handle.
That is why breadth issues. Chainguard is constructed to soak up the operational burden of the longtail, offering protection and remediation at a scale that particular person groups cannot justify on their very own. As open supply provide chains develop extra advanced, Chainguard will proceed to trace utilization patterns and shine a light-weight on the place threat really resides, so you do not have to struggle the battle in opposition to the longtail alone.
Able to get began with the trusted supply for open supply? Contact Chainguard to be taught extra.
Be aware: This text was expertly written and contributed by Ed Sawma, VP Product Advertising, Sasha Itkis, Product Analyst.
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the most recent breakthroughs, get unique updates, and join with a worldwide community of future-focused thinkers.
Unlock tomorrow’s developments as we speak: learn extra, subscribe to our publication, and change into a part of the NextTech group at NextTech-news.com
