2026 Changelog

April 1 2026

Default container user changed to non-root across all images

All Chainguard Container images now run as a non-root user by default, aligning with Chainguard’s security-hardening standards. Review your workloads for root requirements and set securityContext.runAsUser: 0 (Kubernetes) or --user root (Docker) where needed.

March 15 2026

OpenSSL updated to address CVE-2026-XXXXX in all images

All Chainguard Container images containing OpenSSL have been updated to address CVE-2026-XXXXX, a high-severity vulnerability affecting TLS handshake processing. Pull the latest version of any affected image; if you are pinned to a digest, update your digest reference.

Provenance attestations now included by default for all images

All images now ship with signed provenance attestations conforming to SLSA Build Level 2. No action is required; attestations are automatically available via the Chainguard API and cosign verify-attestation.

March 1 2026

Expanded AI/ML image catalog now available

Hardened images for PyTorch, TensorFlow, JAX, and common AI/ML tooling are now available in the standard Chainguard catalog, all built with zero known CVEs and including SBOMs. See the AI/ML image catalog for the full list.

Legacy image tag format YYYYMMDD deprecated

The date-stamped tag format (e.g., image:20250315) is deprecated and will be removed in Q3 2026. Migrate to the supported :latest or digest-pinned references before then.