CW Developer Network

Chainguard tightens lid on software artefacts with ‘the’ Guardener

Adrian Bridgwater
Adrian Bridgwater

Not all products, places, people or things get to enjoy a ‘the’ prefix and bask in the glory of being a definite article.

English language hangovers from the French Mandate of Le Liban meant that, for a time, we referred to The Lebanon, but now it’s simply Lebanon. These days (although some people would count the Netherlands and a few others), it’s really just The Bahamas and The Gambia.

In technology, most products simply get a name, plain and simple.

Known for its work delivering hardened and secured production-ready builds of open source, Chainguard has bucked the trend and introduced ‘the’ Guardener (sounds like gardener, but it guards, get it?), an AI agent that enables continuous maintenance of Chainguard’s trusted open source artefacts across software development and deployment workflows. 

Today, the Guardener automatically converts bloated, legacy Dockerfiles to use minimal, zero-CVE Chainguard container images, eliminating manual migration toil while preserving developer velocity. 

Over time, the Guardener will extend more capabilities of the Chainguard Factory to Chainguard customers. The company says that this will make the infrastructure a company uses to build and maintain “secure-by-default” with open source software that is accessible to developers to automate migrations, perform dependency updates and engage in ongoing artefact maintenance directly within their CI/CD environments. 

A compounding security gap 

Trusted container images have become a foundational layer of the modern software development lifecycle, but organisations of all sizes struggle to move legacy, bloated distro-based images to distroless, zero-CVE defaults.

Engineering teams understand that trusted images are critical, but providing a path to secure-by-default artefacts that scale across teams without introducing developer toil or refactoring overhead is a challenge. As AI accelerates software development, the number of artefacts requiring maintenance is growing exponentially, making manual migration and periodic remediation unsustainable. To keep pace, organisations need intelligent, continuous maintenance that can automatically migrate, evolve and update software artefacts across their CI/CD systems.

“We’ve entered the agentic software development era and the volume of code being generated is growing far beyond what humans can reasonably maintain,” said Dan Lorenc, CEO and co-founder, Chainguard. “The Guardener is our vision for how that changes: an intelligent system that can continuously build, update and improve the artefacts developers and AI agents rely on. We’re extending the same software factory we built to manage and harden open source at scale to everyone. Our goal is to help teams build efficient CI/CD systems they’re confident in, where secure software is the default.”

The Guardener gathers environmental context and insights to understand what a Dockerfile is designed to do, rebuilds it line by line and continuously tests as it goes. The agent transforms what was once a time-intensive migration effort into a seamless, automated workflow.

CEO Lorenc: Our goal is secure software, by default.

With the Guardener, software application development teams can generate golden image catalogues or migrate individual Dockerfiles to use zero-CVE Chainguard base images. All this happens without requiring developers to learn new package managers or refactor workflows. It also delivers verifiable post-migration insights, including comparisons of image size, vulnerability posture and filesystem changes, providing audit trails for engineering and security teams. 

Monki-logic

“Shift left security for web and container-based infrastructures essentially failed because we put the development burden on developers and the maintenance burden on busy ops and platform teams,” said James Governor, analyst and co-founder, RedMonk. “The only way to make developers change their habits and workflows is if you make the right thing the easy thing. That means automation and a great developer and operator experience – the focus of Chainguard’s efforts in supply chain security with Guardener. Continuous maintenance is becoming mandatory as AI code generation explodes.” 

Key capabilities include:

  • AI-powered orchestration: The Guardener makes contextual decisions about package mappings and migration strategies, incrementally building and testing Dockerfiles to produce accurate, stable conversions beyond basic text replacement.
  • Incremental validation: Dockerfiles are rebuilt layer by layer to detect divergence early, providing functional equivalence checks and detailed migration reports.
  • GitHub or local deployment: The Guardener can be deployed via a GitHub app1 integration or locally in your environment to provide deeper context, telemetry and validation. The Guardener calls back to Chainguard via API, delivering accuracy that standalone tools can’t match.

The Computer Weekly Developer Network (CWDN) spoke to Chainguard CEO and co-founder personally to get the inside track on what the company’s latest product release means for developers.

CWDN: How will your “software factory” model prevent AI-generated code from creating an unmanageable explosion of new, unverified software dependencies?

Lorenc: This is exactly what the Guardener is designed for. AI is making it ridiculously easy to assemble software from thousands of open source components. That’s great for productivity and terrible for software supply chain security. The Chainguard Factory changes how those components get built and maintained. Instead of every team pulling random dependencies from the Internet, with the Guardener, they consume artefacts that are continuously rebuilt from source, patched and verified in one place.

CWDN: Can you explain how Guardener ensures “functional equivalence” during migration so developers don’t face a massive manual testing burden?

Lorenc: Migration is a hard problem. Engineers spend a lot of time doing migrations and almost as much time building test coverage just to prove nothing broke. Even small changes can take real effort because the last time someone touched the system might have been a year or two ago. The Guardener doesn’t try to rewrite the entire Dockerfile in one shot. It works through it line by line, rebuilding the image incrementally and validating behaviour at each step. That approach builds confidence over time and generates the tests and parity checks needed to prove the new image behaves exactly like the original.

CWDN: How does the Guardener balance aggressive “distroless” minimisation with the functional requirements developers need to avoid breaking production builds?

Lorenc: The Guardener doesn’t start by aggressively minimising anything. The first pass produces an equivalent Dockerfile that we’re confident works. The goal of that first step is functional parity with the same behaviour, dependencies and output rebuilt in a way we can reason about and validate. Once that baseline exists, the Guardener can apply a set of optimisations. That’s where distroless minimisation and other improvements come in. 

Onward evolution

As developers and agents interface with the Guardener, it will evolve to unlock more value from the Chainguard Factory, including ongoing build and maintenance i.e. move from Dockerfile conversion to custom image builds with ongoing maintenance powered by the Chainguard Factory’s AI-native, hardened SLSA Level 3 pipeline, enabling automatic updates to images and dependencies.

Greater customisation is also now possible to enable teams to tailor an agent through configurable skills and policies that support team-specific workflows without slowing developer velocity.

The Guardener is available now in beta.