Chainguard, the go-to source for open source, has a unique perspective on how modern organizations are actually using open source software and where they face risks and operational burdens. With a growing customer base and an extensive catalog of over 1,800 container image projects, 148,000 versions, 290,000 images, 100,000 language libraries, and nearly 500 million builds, you can see the reality of what our teams pull, deploy, and maintain on a daily basis, and the vulnerabilities and remediation that comes with it.
That’s why they created “The State of Trusted Open Source,” a quarterly update on the open source software supply chain. While analyzing anonymized product usage and CVE data, the Chainguard team noticed common themes around what open source engineering teams are actually building and the risks associated with it.
Here’s what they found:
AI is rebuilding the baseline stack. Python leads the way as the most popular open source image among Chainguard’s global customer base, powering its modern AI stack. More than half of the production takes place outside of the most popular projects. While most teams may have standardized on a familiar set of images, real-world infrastructures are powered by a broad portfolio that extends well beyond the top 20 most popular. This portfolio is referred to as the long-tail image in this report. Popularity does not correspond to risk. 98% of vulnerabilities discovered and remediated in Chainguard images occurred outside of the top 20 most popular projects. This means that the greatest security burden accumulates in the less visible parts of the stack, where patching is most difficult to operationalize. Compliance can be a call to action. Compliance now takes many forms, from SBOM and vulnerability requirements, to industry frameworks such as PCI DSS and SOC 2, to regulations such as the EU Cyber Resilience Act. FIPS is just one example and focuses specifically on the US Federal Encryption Standard. Still, 44% of Chainguard customers run FIPS images in production, highlighting how often regulatory needs shape real-world software decisions. Trust is built on speed of repair. Chainguard eliminated critical CVEs within an average of 20 hours.
Before we get into it, a note on methodology: This report analyzes over 1,800 unique container image projects, 10,100 total vulnerability instances, and 154 unique CVEs tracked from September 1, 2025 to November 30, 2025. When we use terms such as “top 20 projects” or “long tail projects” (defined by images other than the top 20), we are referring to the actual usage patterns observed across the board. Chainguard’s customer portfolio and in-production pulls.
Usage: What your team actually does in production
When zoomed out, today’s production container footprint looks as expected. Basic languages, runtimes, and infrastructure components dominate the most popular list.
Most popular image: AI rebuilds baseline stack
Across all regions, the top image is a well-known staple: Python (71.7% of customers), Node (56.5%), nginx (40.1%), go (33.5%), redis (31.4%), followed by JDK, JRE, and a cluster of core observability and platform tools such as Grafana, Prometheus, Istio, cert-manager, and argocd. ingress-nginx, and kube-state-metrics.
This indicates that customers operate a portfolio of critical building blocks such as languages, gateways, service meshes, monitoring, and controllers that collectively form the foundation of their business.
It’s no surprise that Python is leading the way as the default glue language for modern AI stacks globally. Teams typically standardize on Python for model development, data pipelines, and even production inference services.
Most popular by region: similar base, different long tail mix
North America exhibits a broad and consistent set of default production building blocks, including Python (71.7% of customers), Node (56.6%), nginx (39.8%), go (31.9%), and redis (31.5%), as well as Kubernetes ecosystem components. (cert-manager, istio, argocd, prometheus, kube-state-metrics, node-exporter, kuvector). In particular, even utility images like busybox are displayed in a meaningful way.
Outside of North America, you’ll see the same core stack, but the portfolio spread will be different. Python (72% of customers), Node (55.8%), Go (44.2%), nginx (41.9%), and .NET runtimes (aspnet-runtime, dotnet-runtime, dotnet-sdk) and PostgreSQL are prominent.
Long tails in images are important for production, not edge cases
Chainguard’s most popular image accounts for only 1.37% of all available images and about half of all container pulls. The other half of production usage comes from elsewhere: 1,436 longtail images, representing 61.42% of the average customer’s container portfolio.
This means that half of all production workloads run on long-tail images. These are not special cases. These are the core of Chainguard’s customer infrastructure. It’s relatively easy to keep a top few images polished, but what reliable open source needs is to maintain security and speed over the wide range of things that customers actually run.
Using FIPS: Compliance is a catalyst for action
FIPS encryption is an essential technology in compliance environments and is focused on meeting U.S. federal encryption requirements. And it provides a useful window into how regulatory pressures drive adoption. Data shows that 44% of customers run at least one FIPS image in production.
The pattern is consistent. When working within compliance frameworks such as FedRAMP, DoD IL-5, PCI DSS, SOC 2, CRA, Essential Eight, and HIPAA, teams need hardened, trusted open source software that mirrors commercial workloads. The most used FIPS images are matched by a broader portfolio with hardened cryptographic modules for auditing and verification.
Top FIPS image projects include Python-fips (62% of customers have at least one FIPS image in production), Node-fips (50%), nginx-fips (47.2%), go-fips (33.8%), redis-fips (33.1%), as well as platforms such as istio-pilot-fips, istio-proxy-fips, and cert-manager variants. Contains components. Support libraries and cryptographic infrastructures such as glibc-openssl-fips are also displayed.
FIPS isn’t the whole story, but it does point to a broader truth. Compliance is a universal driver, highlighting the need for trusted open source across the entire software stack.
CVE: Popularity does not correspond to risk
Looking at Chainguard’s entire image catalog, risks are overwhelmingly concentrated outside of the most popular images. Of the CVEs that Chainguard has remediated in the past three months, 214 occurred in the top 20 images, accounting for just 2% of all CVEs. If you take a closer look at these top images, you’ll find the remaining 98% of CVEs (10,785 CVE instances) that Chainguard has remediated. This is 50 times the number of CVEs in the top 20 images.
While the highest volume of CVEs are classified as “medium,” operational urgency often depends on how quickly “critical” and “high” CVEs can be addressed, and whether customers can trust that speed across the entire portfolio, not just the most common images.
Trust is built in speed of repair
For us, trust is measured in time to fix, and Chainguard knows this is paramount when it comes to critical CVEs. Over the three-month period analyzed, Chainguard’s team reduced the average time to remediate critical CVEs to less than 20 hours, with 63.5% of critical CVEs resolved within 24 hours, 97.6% within 2 days, and 100% within 3 days.
In addition to remediating critical CVEs, the team addressed high CVEs in 2.05 days, medium CVEs in 2.5 days, and low CVEs in 3.05 days. This was significantly faster than Chainguard’s SLA (7 days for critical CVE and 14 days for high, medium, and low CVE).
And this speed is not limited to the most popular packages. For every CVE fixed in the top 20 image projects, 50 CVEs were resolved in less popular images.
This long tail is where most of your real exposure is hidden, and it can feel hopeless to keep up. Most engineering organizations cannot allocate resources to patch vulnerabilities in packages outside of the core stack. But the data is clear that the “silent majority” of the software supply chain must be protected with the same rigor as the most critical workloads.
A new baseline of trusted open source
Looking at the data as a whole, one thing is important. That said, modern software utilizes a wide and changing portfolio of open source components, most of which exist outside the top 20 most popular images. It’s not where developers spend their time, but it’s where the majority of security and compliance risks accumulate.
This creates a worrying disconnect. While it makes sense for engineering teams to focus on the few projects that are most important to their stack, the bulk of their exposure is in a plethora of dependencies that they don’t have time to manage.
That’s why width is important. Chainguard is built to absorb long-tail operational loads, providing response and remediation at a scale that individual teams cannot justify on their own. As open source supply chains become more complex, Chainguard continues to track usage patterns and shine a light on where risks really exist. So you don’t have to fight the longtail alone.
Ready to start using open source trusted sources? Contact Chainguard to learn more.
Note: This article was professionally written and contributed by Ed Sawma, VP of Product Marketing, and Sasha Itkis, Product Analyst.
Source link
