In DecemberĀ 2025, we shared the first-ever The State of Trusted OpenĀ Source report, featuring insights from our product data and customer base on open source consumption across our catalog of container image projects, versions, images, language libraries, and builds. TheseĀ insights shed light on what teams pull, deploy, and maintain day to day, alongside the vulnerabilities and remediation realities these projectsĀ face.
Fast forward a few months, and software development is accelerating at a pace that most didnāt see coming. AIĀ is increasingly embedded across the development lifecycle, from code generation to infrastructure automation, as models become more advanced and better at meeting the demands of modern work. ThisĀ shift is expanding what teams can build and how quickly they canĀ ship.
It is also reshaping the security landscape.
Before diving into the numbers, itās important to explain how we perform this analysis. WeĀ examined over 2,200 unique container image projects, 33,931 total vulnerability instances, and 377 unique CVEs from December 1, 2026, through February 28, 2026. WhenĀ we use terms like ātop 20 projectsā and ālong tail projectsā (as defined by images outside of the top 20), weāre referring to real usage patterns observed across our customer portfolio and in productionĀ pulls.
In this report, we noticed a few new themes that point to this shift. TheseĀ themes built on the trends from our last report, ultimately showcasing the impact of increased AI-driven development both in the types of container images being used and in the number of CVEs being discovered and remediated:
- Python and PostgreSQL growth reflects AI-driven development: Python remains the most popular image (72.1% of all customers use it), and PostgreSQL saw a 73% increase in usage quarter-over-quarter, underscoring the growing adoption of a modern AI stack across various use cases.
- The modern platform stack is becoming increasingly standardized: Across Chainguard customers, language ecosystem images account for more than half of the top 25 images used in production.
- Chainguard Base is becoming a foundation for developer tooling: The chainguard-base image, a minimal distroless base image without any toolchain or apps, was the 5th most-used Chainguard image, as customers use it as a sort of āutility beltā for their specific use cases (over 75% of Chainguard customers customize at least one image).
- AI is accelerating software development and vulnerability discovery: We applied over 300% more fixes in Chainguard Containers and saw a 145% increase in vulnerabilities from last quarter, signaling the use of AI to push more code and discover more CVEs.
- The long tail continues to define real-world risk: 96% of the vulnerabilities found and remediated in Chainguard Containers occurred outside of the top 20 most popular projectsāthis is consistent with the findings from December.
- Compliance continues to drive adoption of trusted open source: We saw the same themes from December present here, underscored by a FIPS-compliant variant of a Chainguard container image entering the top 10 images by customer count for the first time.
Usage: What teams actually run in production
We identified multiple themes centered on the prevalence of AI in code generation across regions and industries. ThisĀ prevalence leads to greater adoption of the Python language ecosystem and adjacent technologies on the usageĀ side.
Most popular images: Python and PostgreSQL growth reflect AI-driven development
PostgreSQL usage grew 73% quarter-over-quarter
The images that saw the strongest growth this quarter closely align with the technologies driving AIĀ adoption.
Python remains the most widely deployed image across Chainguard customers. WhenĀ combining FIPSĀ (Federal Information ProcessingĀ Standards) and non-FIPSĀ variants, 72.1% of Chainguard customers are using a PythonĀ image. ThisĀ reflects Pythonās role as the default language for machine learning, data pipelines, and automation. WhatĀ was once concentrated in experimentation environments is now moving into production systems across industries.
Node continues to anchor application infrastructure, with 60.7% of Chainguard customers utilizing it in their environments. Together, Python and Node define the dominant runtime layer for modern applications.
The most notable change this quarter is in databases. PostgreSQL usage grew by 73% quarter overĀ quarter, the largest increase among widely deployedĀ images.
This growth aligns with broader trends in AI workloads. PostgreSQL is increasingly used as a foundation for vector search and retrieval-augmented generation, supported by extensions that enable embedding storage and similarity queries. AsĀ AI moves into production, databases are evolving alongside applicationĀ runtimes.
The modern platform stackĀ is converging
Over 50% of the most popular images areĀ language ecosystems
This quarter, the data showed that production environments are converging around a consistent set of foundational components.
Language ecosystems account for more than half of the top 25 images used acrossĀ customers. PythonĀ (72.1% of all customers), Node (60.7%), Java (44.4%), Go (42.8%), and .NETĀ (27%) continue to define the runtime layer, with growth across each ecosystem.
Outside of runtimes, teams are standardizing on a familiar set of cloud-native components. Traffic management tools such as nginx and service mesh components remain widely deployed. Monitoring systems built around Prometheus continue to expand. Deployment workflows are increasingly anchored in GitOps tools such as ArgoCD andĀ kubectl.
The result is a layered architecture that is broadly consistent across organizations. AĀ small number of runtimes, a shared set of operational components, and a large and highly variable long tail of supporting dependencies.
Standardization is happening at the platform level, even as application-specific variation continues toĀ grow.
Chainguard Base is becoming a foundation for developerĀ tooling
Chainguard-base was the 5th most-deployed image byĀ customer count
ChainguardĀ Base is a minimal distroless base image without any toolchain or applications. ItĀ is designed to provide a secure foundation that teams can extend with only the components theyĀ need.
This quarter, it wasĀ the 5th-most-deployed image by customerĀ count, used by 36.3% of customers across FIPS and non-FIPSĀ variants.
Its role becomes clearer when looking at customization patterns. AcrossĀ all customized repositories, 95% include added packages,Ā and more than three-quarters of customers customize at least oneĀ image.
When organizations customize Chainguard Containers, the most frequently added packages are developer and operational utilities such as curl, bash, jq, git, and cloud tooling. TheseĀ are not full application stacks. TheyĀ are the tools needed to build, debug, and operateĀ software.
This demonstrates a consistent pattern: teams use Chainguard Base as a secure starting point, then layer in the exact tooling required for their workflows. ItĀ is serving as a flexible foundation for CI/CD pipelines, debugging environments, and internal platformĀ tooling.
As platform engineering practices mature, the need for secure, customizable base environments is becoming more pronounced. Chainguard Base is emerging as a core building block in thatĀ model.
CVEs: AI is accelerating software development and vulnerabilityĀ discovery
Over 300% more fix instances thisĀ quarter
Just as we observed on the usage side with the increase in Python and PostgreSQL container images, AI is also changing the speed at which vulnerabilitiesĀ surface.
In the previous report, we tracked 154 unique CVEs and 10,100 fix instances across Chainguard Containers. ThisĀ quarter, that number rose to 377 unique CVEs and 33,931 fix instancesĀ (a 145% increase in unique vulnerabilities and over 300% more fixes applied compared to lastĀ quarter).
This increase reflects two parallel forces: 1) development is becoming faster and more distributed, which increases the number of dependencies entering production environments; and 2) vulnerability discovery is accelerating as researchers and attackers use automation and AI-assisted techniques to analyze code atĀ scale.
The result is a tighter feedback loop between development and security. MoreĀ code is being written, more dependencies are being introduced, and more vulnerabilities are being identified across the ecosystem.
What stands out is not only the increase in volume, but the Chainguard Factoryās ability to respond toĀ it. Median remediation time held essentially flat at 2.0Ā days compared to 1.96Ā days last quarter, despite the much higherĀ volume. High-severity vulnerabilities continued to be resolved quickly, with 97.9% fixed within oneĀ week.
The pace of discovery is increasing. TheĀ expectation for response is keepingĀ up.
The long tail continues to define real-world risk
96% of CVEs occur outside the most popularĀ images
While core infrastructure is becoming more standardized, most of the software supply chain lives outside the most visible components. LetĀ us explain: the median customer sources about 74% of their images from the long tail of the catalog (images outside the top 20 in popularity). ThisĀ reflects the reality that production environments extend far beyond a small set of widely usedĀ images.
Security risk follows the sameĀ pattern.
ThisĀ quarter, 96.2% of CVE instances occurred outside the top 20 most widely usedĀ images. ThisĀ is consistent with the previous report, which found that nearly all vulnerabilities were concentrated in long-tailĀ projects.
The implication is straightforward: the images that teams interact with most frequently represent only a small portion of their actual exposure. TheĀ majority of vulnerabilities exist in dependencies that are less visible, less frequently updated, and often not directly owned by applicationĀ teams.
Even across severity levels, the distribution holds. Critical, High, Medium, and Low vulnerabilities all follow the same pattern, with the overwhelming majority (96.18% on average) occurring outside the top 20 images. Attackers know what is popular, so they tend to look for vulnerable areas that are outside most users’ top-of-mind.
As development accelerates and dependency graphs expand, managing the long tail becomes the central challenge of software supply chainĀ security.
Compliance is reshapingĀ adoption patterns
Regulatory requirements are increasingly influencing how organizations build and deployĀ software.
This quarter marks the first time a FIPS-compliant Chainguard imageĀ (python-fips) has reached the top 10 by customer count, even when FIPS and non-FIPS variants are combined into a single metric. ThisĀ milestone reflects a broader shift toward compliance-drivenĀ adoption.
FIPS adoption is increasing across multiple runtimes. PythonĀ FIPS, Node FIPS, and nginx FIPS images all saw growth in customer counts over theĀ quarter.
Overall, 42% of customers now run at least one FIPS image in production.
This reflects the growing influence of frameworks such as FedRAMP, PCI DSS, SOC 2, and the EU Cyber Resilience Act. Compliance is no longer limited to a subset of industries. ItĀ is becoming a baseline requirement for software that operates in regulated environments.
As a result, secure and compliant images are moving from optional toĀ expected.
A secure foundation for the AIĀ era
The data from this quarter points to a clear trend. Software ecosystems are expanding. TheĀ number of unique images in use grew by 18%, reflecting broader adoption and more diverse workloads. AtĀ the same time, vulnerability discovery increased significantly, withĀ a 145% rise in uniqueĀ CVEs and a 3x increase inĀ fixes.
Despite that growth, Chainguardās remediation performance remained stable. MedianĀ fix times held steady, and high-severity vulnerabilities continued to be resolved quickly. ThisĀ combination matters. ItĀ shows that it is possible to scale both coverage and responsiveness simultaneously.
As AI continues to accelerate development, the volume of code and dependencies will grow. TheĀ challenge for security teams is not simply to keep up with that growth, but to manage it in a way that maintains consistency and trust. TheĀ organizations that succeed will be those that treat security as part of the development system itself, rather than as a layer applied afterward.
At Chainguard, we recognize the challenges that security and engineering teams face as AI technology becomes increasingly ubiquitous. WeĀ recently announced products suchĀ as Chainguard AgentĀ SkillsĀ and ChainguardĀ Actions to address this problem directly. AsĀ development speeds up, organizations must address hidden attack vectors throughout the software development lifecycle. TheĀ trusted open source we offer creates a secure-by-default foundation you can buildĀ on.
Ready to learn more about how Chainguard can protect your open source artifacts? Get inĀ touch with our teamĀ today.
About The Author
Original post here
