In December 2025, we shared the first-ever The State of Trusted Open Supply report, that includes insights from our product information and buyer base on open supply consumption throughout our catalog of container picture initiatives, variations, pictures, language libraries, and builds. These insights make clear what groups pull, deploy, and keep each day, alongside the vulnerabilities and remediation realities these initiatives face.
Quick ahead a couple of months, and software program improvement is accelerating at a tempo that almost all didn’t see coming. AI is more and more embedded throughout the event lifecycle, from code era to infrastructure automation, as fashions develop into extra superior and higher at assembly the calls for of recent work. This shift is increasing what groups can construct and the way rapidly they will ship.
It is usually reshaping the security panorama.
Earlier than diving into the numbers, it’s vital to elucidate how we carry out this evaluation. We examined over 2,200 distinctive container picture initiatives, 33,931 complete vulnerability cases, and 377 distinctive CVEs from December 1, 2026, by way of February 28, 2026. When we use phrases like “prime 20 initiatives” and “lengthy tail initiatives” (as outlined by pictures outdoors of the highest 20), we’re referring to actual utilization patterns noticed throughout our buyer portfolio and in manufacturing pulls.
On this report, we seen a couple of new themes that time to this shift. These themes constructed on the traits from our final report, finally showcasing the impression of elevated AI-driven improvement each within the forms of container pictures getting used and within the variety of CVEs being found and remediated:
- Python and PostgreSQL development displays AI-driven improvement: Python stays the preferred picture (72.1% of all clients use it), and PostgreSQL noticed a 73% enhance in utilization quarter-over-quarter, underscoring the rising adoption of a contemporary AI stack throughout numerous use circumstances.
- The trendy platform stack is turning into more and more standardized: Throughout Chainguard clients, language ecosystem pictures account for greater than half of the highest 25 pictures utilized in manufacturing.
- Chainguard Base is turning into a basis for developer tooling: The chainguard-base picture, a minimal distroless base picture with none toolchain or apps, was the Fifth most-used Chainguard picture, as clients use it as a type of “utility belt” for his or her particular use circumstances (over 75% of Chainguard clients customise at the least one picture).
- AI is accelerating software program improvement and vulnerability discovery: We utilized over 300% extra fixes in Chainguard Containers and noticed a 145% enhance in vulnerabilities from final quarter, signaling using AI to push extra code and uncover extra CVEs.
- The lengthy tail continues to outline real-world threat: 96% of the vulnerabilities discovered and remediated in Chainguard Containers occurred outdoors of the highest 20 hottest initiatives—that is according to the findings from December.
- Compliance continues to drive adoption of trusted open supply: We noticed the identical themes from December current right here, underscored by a FIPS-compliant variant of a Chainguard container picture coming into the highest 10 pictures by buyer rely for the primary time.
Utilization: What groups truly run in manufacturing
We recognized a number of themes centered on the prevalence of AI in code era throughout areas and industries. This prevalence results in better adoption of the Python language ecosystem and adjoining applied sciences on the utilization facet.
Hottest pictures: Python and PostgreSQL development replicate AI-driven improvement
PostgreSQL utilization grew 73% quarter-over-quarter
The pictures that noticed the strongest development this quarter carefully align with the applied sciences driving AI adoption.
Python stays essentially the most broadly deployed picture throughout Chainguard clients. When combining FIPS (Federal Info Processing Requirements) and non-FIPS variants, 72.1% of Chainguard clients are utilizing a Python picture. This displays Python’s function because the default language for machine studying, information pipelines, and automation. What was as soon as concentrated in experimentation environments is now transferring into manufacturing techniques throughout industries.
Node continues to anchor software infrastructure, with 60.7% of Chainguard clients using it of their environments. Collectively, Python and Node outline the dominant runtime layer for contemporary functions.
Essentially the most notable change this quarter is in databases. PostgreSQL utilization grew by 73% quarter over quarter, the biggest enhance amongst broadly deployed pictures.
This development aligns with broader traits in AI workloads. PostgreSQL is more and more used as a basis for vector search and retrieval-augmented era, supported by extensions that allow embedding storage and similarity queries. As AI strikes into manufacturing, databases are evolving alongside software runtimes.
The trendy platform stack is converging
Over 50% of the preferred pictures are language ecosystems
This quarter, the information confirmed that manufacturing environments are converging round a constant set of foundational parts.
Language ecosystems account for greater than half of the highest 25 pictures used throughout clients. Python (72.1% of all clients), Node (60.7%), Java (44.4%), Go (42.8%), and .NET (27%) proceed to outline the runtime layer, with development throughout every ecosystem.
Outdoors of runtimes, groups are standardizing on a well-known set of cloud-native parts. Visitors administration instruments equivalent to nginx and repair mesh parts stay broadly deployed. Monitoring techniques constructed round Prometheus proceed to develop. Deployment workflows are more and more anchored in GitOps instruments equivalent to ArgoCD and kubectl.
The result’s a layered structure that’s broadly constant throughout organizations. A small variety of runtimes, a shared set of operational parts, and a big and extremely variable lengthy tail of supporting dependencies.
Standardization is going on on the platform stage, whilst application-specific variation continues to develop.
Chainguard Base is turning into a basis for developer tooling
Chainguard-base was the Fifth most-deployed picture by buyer rely
Chainguard Base is a minimal distroless base picture with none toolchain or functions. It is designed to supply a safe basis that groups can prolong with solely the parts they want.
This quarter, it was the Fifth-most-deployed picture by buyer rely, utilized by 36.3% of shoppers throughout FIPS and non-FIPS variants.
Its function turns into clearer when taking a look at customization patterns. Throughout all personalized repositories, 95% embody added packages, and greater than three-quarters of shoppers customise at the least one picture.
When organizations customise Chainguard Containers, essentially the most ceaselessly added packages are developer and operational utilities equivalent to curl, bash, jq, git, and cloud tooling. These usually are not full software stacks. They are the instruments wanted to construct, debug, and function software program.
This demonstrates a constant sample: groups use Chainguard Base as a safe place to begin, then layer within the precise tooling required for his or her workflows. It is serving as a versatile basis for CI/CD pipelines, debugging environments, and inside platform tooling.
As platform engineering practices mature, the necessity for safe, customizable base environments is turning into extra pronounced. Chainguard Base is rising as a core constructing block in that mannequin.
CVEs: AI is accelerating software program improvement and vulnerability discovery
Over 300% extra repair cases this quarter
Simply as we noticed on the utilization facet with the rise in Python and PostgreSQL container pictures, AI can also be altering the velocity at which vulnerabilities floor.
Within the earlier report, we tracked 154 distinctive CVEs and 10,100 repair cases throughout Chainguard Containers. This quarter, that quantity rose to 377 distinctive CVEs and 33,931 repair cases (a 145% enhance in distinctive vulnerabilities and over 300% extra fixes utilized in comparison with final quarter).
This enhance displays two parallel forces: 1) improvement is turning into sooner and extra distributed, which will increase the variety of dependencies coming into manufacturing environments; and a pair of) vulnerability discovery is accelerating as researchers and attackers use automation and AI-assisted strategies to investigate code at scale.
The result’s a tighter suggestions loop between improvement and security. Extra code is being written, extra dependencies are being launched, and extra vulnerabilities are being recognized throughout the ecosystem.
What stands out will not be solely the rise in quantity, however the Chainguard Manufacturing unit’s capability to reply to it. Median remediation time held basically flat at 2.0 days in comparison with 1.96 days final quarter, regardless of the a lot greater quantity. Excessive-severity vulnerabilities continued to be resolved rapidly, with 97.9% fastened inside one week.
The tempo of discovery is growing. The expectation for response is retaining up.
The lengthy tail continues to outline real-world threat
96% of CVEs happen outdoors the preferred pictures
Whereas core infrastructure is turning into extra standardized, many of the software program provide chain lives outdoors essentially the most seen parts. Let us clarify: the median buyer sources about 74% of their pictures from the lengthy tail of the catalog (pictures outdoors the highest 20 in recognition). This displays the fact that manufacturing environments prolong far past a small set of broadly used pictures.
Safety threat follows the identical sample.
This quarter, 96.2% of CVE cases occurred outdoors the highest 20 most generally used pictures. This is according to the earlier report, which discovered that just about all vulnerabilities have been concentrated in long-tail initiatives.
The implication is easy: the pictures that groups work together with most ceaselessly signify solely a small portion of their precise publicity. The majority of vulnerabilities exist in dependencies which are much less seen, much less ceaselessly up to date, and sometimes in a roundabout way owned by software groups.
Even throughout severity ranges, the distribution holds. Vital, Excessive, Medium, and Low vulnerabilities all comply with the identical sample, with the overwhelming majority (96.18% on common) occurring outdoors the highest 20 pictures. Attackers know what’s common, so they have a tendency to search for susceptible areas which are outdoors most customers’ top-of-mind.
As improvement accelerates and dependency graphs develop, managing the lengthy tail turns into the central problem of software program provide chain security.
Compliance is reshaping adoption patterns
Regulatory necessities are more and more influencing how organizations construct and deploy software program.
This quarter marks the primary time a FIPS-compliant Chainguard picture (python-fips) has reached the highest 10 by buyer rely, even when FIPS and non-FIPS variants are mixed right into a single metric. This milestone displays a broader shift towards compliance-driven adoption.
FIPS adoption is growing throughout a number of runtimes. Python FIPS, Node FIPS, and nginx FIPS pictures all noticed development in buyer counts over the quarter.
General, 42% of shoppers now run at the least one FIPS picture in manufacturing.
This displays the rising affect of frameworks equivalent to FedRAMP, PCI DSS, SOC 2, and the EU Cyber Resilience Act. Compliance is now not restricted to a subset of industries. It is turning into a baseline requirement for software program that operates in regulated environments.
Because of this, safe and compliant pictures are transferring from optionally available to anticipated.
A safe basis for the AI period
The info from this quarter factors to a transparent pattern. Software program ecosystems are increasing. The variety of distinctive pictures in use grew by 18%, reflecting broader adoption and extra numerous workloads. At the identical time, vulnerability discovery elevated considerably, with a 145% rise in distinctive CVEs and a 3x enhance in fixes.
Regardless of that development, Chainguard’s remediation efficiency remained steady. Median repair instances held regular, and high-severity vulnerabilities continued to be resolved rapidly. This mixture issues. It exhibits that it’s doable to scale each protection and responsiveness concurrently.
As AI continues to speed up improvement, the amount of code and dependencies will develop. The problem for security groups will not be merely to maintain up with that development, however to handle it in a manner that maintains consistency and belief. The organizations that succeed might be people who deal with security as a part of the event system itself, moderately than as a layer utilized afterward.
At Chainguard, we acknowledge the challenges that security and engineering groups face as AI know-how turns into more and more ubiquitous. We just lately introduced merchandise such as Chainguard Agent Expertise and Chainguard Actions to handle this downside instantly. As improvement accelerates, organizations should deal with hidden assault vectors all through the software program improvement lifecycle. The trusted open supply we provide creates a secure-by-default basis you may construct on.
Able to study extra about how Chainguard can shield your open supply artifacts? Get in contact with our staff right this moment.
