As supply chain attacks on enterprises continue, a purveyor of hardened container images wants to make it easier for IT organizations to customize their deployments while maintaining a zero-vulnerability pledge.

Chainguard Inc. this week added a beta-stage SaaS service called Custom Assembly for its Chainguard Images. These are a set of Linux container images that strip out most standard software packages, and with them a majority of known security vulnerabilities. While growing interest in Chainguard Images made them a focal point for the vendor over the last year, users were also asking for more flexibility to add some standard software packages back in or to mix components from different standard Chainguard Images together, according to Julian Dunn, senior director of product management at Chainguard.

Chainguard Images comes in a limited set of standard configurations separated by programming language, such as Java, Python or Go, but Dunn said there have been cases where customers want to put Python libraries into a Go image or want to combine two of the images to conform to an application's specific requirements.

We believe that there's enough energy here among the customer base that we should make this a service and let customers compose these things on their own. Julian DunnSenior director of product management, Chainguard Inc.

"We would do this as a one-off for folks," he said. "[But] at a certain point, we saw enough demand from our customers that instead of trying to address these [individually], we believe that there's enough energy here among the customer base that we should make this a service and let customers compose these things on their own."

Chainguard weighs security and flexibility Chainguard Images will still be distributed in the same way -- downloaded to a customer's mirror of an artifact repository for deployment through internal software delivery systems. The new Custom Assembly service deliberately stops short of acting as a full-fledged container build pipeline, Dunn said. "We're not getting into the [continuous delivery] space. We're not letting people upload their own content," Dunn said. "This is [a] customization of the stock images that Chainguard provides." The company made that choice to uphold its service-level agreement (SLA) for Chainguard Images, Dunn said. Under this agreement, Chainguard pledges to make "commercially reasonable efforts" to patch critical upstream vulnerabilities in its images within seven days of a qualifying patch being made available, and to patch high-, medium- and low-severity vulnerabilities within 14 days. Failure to meet these terms would come with a monetary payout to customers, Dunn said. Chainguard can meet this SLA because of its proprietary back-end automation, which rapidly rebuilds images in response to new upstream vulnerabilities, while providing consistent attestation as to their provenance and an up-to-date software bill of materials about what packages they contain. Customers can further customize container images within their own software delivery pipelines, Dunn said, but Custom Assembly offers a middle ground that's easier to consume than re-creating all that container build automation, attestation, digital signing and provenance information. Chainguard is considering ways to make its Images more flexible and easier to adopt, including expanding beyond containers, Dunn said. "There are lots of other preferences for how people want to get their containers, [with different] environment variables, or 'We want to change the file system,' these sorts of things," Dunn said. "These are all things that we're looking into as we evolve Custom Assembly."