The landscape of modern software development is undergoing a profound transformation, driven primarily by the rapid integration of artificial intelligence (AI) across the entire development lifecycle. A recent report, "The State of Trusted Open Source," published by Chainguard, provides a granular look into this evolving environment, highlighting both the unprecedented acceleration in software creation and the corresponding surge in vulnerability discovery. The analysis, covering the period from December 1, 2026, through February 28, 2027 (following up on insights from December 2025), meticulously examined over 2,200 unique container image projects, identifying 33,931 total vulnerability instances and 377 unique Common Vulnerabilities and Exposures (CVEs). This comprehensive review, based on real-world usage patterns observed across Chainguard’s customer portfolio and production pulls, paints a vivid picture of a software ecosystem expanding at an unprecedented pace, where speed and security are locked in a continuous, dynamic interplay.
The AI Imperative: Reshaping Development and Dependency Consumption
The most striking revelation from Chainguard’s latest report is the pervasive influence of AI on software development practices. From intelligent code generation tools to sophisticated infrastructure automation platforms, AI models are becoming indispensable, enabling teams to build and ship applications with unparalleled speed. This acceleration, however, is not without its implications for the underlying technological stack. The report identifies a clear shift in the adoption of core technologies, directly correlating with the demands of AI-driven development.
Python, long a favorite in data science and scripting, has cemented its position as the dominant language, with 72.1% of Chainguard customers utilizing a Python image, including both Federal Information Processing Standards (FIPS) and non-FIPS variants. This widespread adoption underscores Python’s foundational role in machine learning frameworks, data pipelines, and automation scripts that power modern AI applications. What was once confined to experimental environments is now firmly entrenched in production systems across diverse industries, reflecting a maturity in AI operationalization.
Complementing Python’s rise, PostgreSQL has emerged as a key database technology, experiencing an astonishing 73% quarter-over-quarter growth in usage—the most significant increase among widely deployed images. This surge is directly attributable to PostgreSQL’s increasing utility as a backbone for vector search and Retrieval-Augmented Generation (RAG) architectures, critical components in many advanced AI systems. Extensions enabling embedding storage and similarity queries have transformed PostgreSQL into a versatile data store capable of handling the unique demands of AI workloads, demonstrating how traditional infrastructure is rapidly adapting to the AI era. Node.js continues to serve as a robust anchor for application infrastructure, with 60.7% of customers deploying it, solidifying its role alongside Python as a dominant runtime layer.
Convergence and Customization: The Modern Platform Stack
Beyond individual language ecosystems, the report highlights a broader convergence around a consistent set of foundational components within production environments. Language ecosystems collectively account for over half of the top 25 images utilized by customers, including Java (44.4%), Go (42.8%), and .NET (27%), alongside Python and Node. This indicates a standardization at the runtime level, where organizations are coalescing around a select few powerful and versatile programming environments.
In parallel, cloud-native operational components are also seeing increased standardization. Traffic management solutions like nginx, along with various service mesh components, remain extensively deployed. Monitoring systems, particularly those built around Prometheus, continue their expansion, providing crucial visibility into complex distributed systems. Furthermore, deployment workflows are increasingly anchored in GitOps tools such as ArgoCD and kubectl, fostering declarative, automated, and auditable infrastructure management.
This trend toward a layered architecture—comprising a small number of core runtimes, a shared set of operational components, and a vast, highly variable "long tail" of supporting dependencies—suggests that while application-specific innovation flourishes, the underlying platform is becoming more uniform. This standardization at the platform level offers benefits in terms of operational efficiency, shared expertise, and potentially, easier security management for the core components.
A notable development underscoring this trend is the ascendance of Chainguard Base. Designed as a minimal, distroless base image devoid of unnecessary toolchains or applications, Chainguard Base offers a secure, lean foundation that teams can extend with only the essential components. This quarter, it ranked as the 5th most-deployed image by customer count, used by 36.3% of customers across FIPS and non-FIPS variants. Its popularity is particularly telling when examining customization patterns: 95% of customized repositories include added packages, and over three-quarters of customers customize at least one image. The most frequently added packages are developer and operational utilities such as curl, bash, jq, git, and various cloud tooling. This signifies that Chainguard Base is serving as a flexible, secure starting point for CI/CD pipelines, debugging environments, and internal platform tooling, aligning perfectly with the maturation of platform engineering practices that prioritize secure, customizable base environments.
The Escalating Vulnerability Landscape: A Race Against Time
The acceleration in software development, while fostering innovation, has a direct and significant impact on the security landscape. The report reveals a dramatic increase in vulnerability discovery and remediation efforts. Compared to the previous report, which tracked 154 unique CVEs and 10,100 fix instances, the latest quarter saw a staggering 377 unique CVEs and 33,931 fix instances. This represents a 145% increase in unique vulnerabilities and over 300% more fixes applied in a single quarter.
This surge is attributed to a confluence of factors: the increasing speed and distributed nature of development lead to a greater number of dependencies being introduced into production environments. Simultaneously, vulnerability discovery itself is accelerating, as security researchers and malicious actors alike leverage automation and AI-assisted techniques to analyze vast swathes of code at scale. The result is a tighter feedback loop between development and security, where more code, more dependencies, and more vulnerabilities are being identified across the ecosystem at an unprecedented pace.
Despite this formidable increase in volume, Chainguard’s remediation capabilities demonstrated remarkable resilience. The median remediation time held essentially flat at 2.0 days, a negligible increase from 1.96 days in the previous quarter. Crucially, high-severity vulnerabilities continued to be addressed with exceptional speed, with 97.9% resolved within one week. This performance underscores the efficacy of Chainguard’s proactive approach to software supply chain security, demonstrating that it is possible to scale both coverage and responsiveness even in the face of rapidly expanding threat surfaces.
The Persistent Challenge of the "Long Tail"
While core infrastructure components are becoming more standardized and thus potentially easier to secure at a foundational level, the majority of software supply chain risk continues to reside outside these most visible elements. The report emphasizes the enduring challenge posed by the "long tail" of dependencies—images outside the top 20 in popularity. The median customer sources approximately 74% of their images from this long tail, reflecting the reality that production environments extend far beyond a small set of widely used images.
Security risk mirrors this pattern precisely. A striking 96.2% of all CVE instances discovered this quarter occurred outside the top 20 most widely used images. This finding is consistent with previous reports and underscores a critical blind spot for many organizations. The implication is clear: the images and components that teams interact with most frequently represent only a small fraction of their actual exposure. The vast majority of vulnerabilities are embedded within less visible, less frequently updated, and often not directly owned dependencies. This includes critical, high, medium, and low severity vulnerabilities, all following the same distribution pattern, with an average of 96.18% occurring in long-tail images. Attackers, aware of this disparity, often target these less scrutinized areas, which present fertile ground for exploitation. Managing this expansive and complex long tail is rapidly becoming the central, defining challenge of modern software supply chain security as development accelerates and dependency graphs grow ever more intricate.
Compliance as a Catalyst for Secure Adoption
Beyond technological advancements and threat landscapes, regulatory requirements are increasingly shaping how organizations build and deploy software. The report notes that for the first time, a FIPS-compliant Chainguard image (python-fips) has entered the top 10 by customer count, even when FIPS and non-FIPS variants are combined. This milestone signals a broader shift towards compliance-driven adoption of secure software components.
FIPS adoption is on the rise across multiple runtimes, with Python FIPS, Node FIPS, and nginx FIPS images all showing growth in customer counts over the quarter. Overall, a significant 42% of Chainguard customers now run at least one FIPS image in production. This trend is not isolated but reflects the growing influence of various regulatory frameworks, including FedRAMP, PCI DSS, SOC 2, and the European Union’s Cyber Resilience Act. These regulations are expanding their reach beyond traditional government and financial sectors, becoming a baseline requirement for any software operating in regulated environments. Consequently, the demand for secure and compliant images is transitioning from an optional best practice to an expected, non-negotiable standard. This shift drives organizations to prioritize foundational security measures, such as using hardened, FIPS-compliant images, to meet their legal and operational obligations.
Forging a Secure Foundation for the AI Era
The collective data from Chainguard’s latest "The State of Trusted Open Source" report paints a compelling picture of a software ecosystem in flux. The sheer volume of unique images in use grew by 18%, reflecting both broader adoption and increasingly diverse workloads. Simultaneously, the rate of vulnerability discovery and remediation has soared, with a 145% rise in unique CVEs and a threefold increase in applied fixes.
Despite these escalating challenges, the stability of Chainguard’s remediation performance—maintaining median fix times and rapidly resolving high-severity vulnerabilities—offers a crucial insight: it is indeed possible to scale both security coverage and responsiveness concurrently. This capability is paramount as AI continues to accelerate development, inevitably leading to an even greater volume of code and dependencies.
The core challenge for security teams in this new era is not merely to keep pace with growth, but to manage it in a way that preserves consistency, trustworthiness, and resilience. The report implicitly argues that organizations poised for success will be those that integrate security intrinsically into the development system itself, rather than treating it as an afterthought or a separate, applied layer.
Chainguard explicitly addresses these challenges with product innovations such as Chainguard Agent Skills and Chainguard Actions, designed to help organizations manage the hidden attack vectors throughout the software development lifecycle. By providing trusted, secure-by-default open-source foundations, Chainguard aims to empower engineering and security teams to navigate the complexities of AI-driven development without compromising on security posture.
In essence, the report serves as both a warning and a guide: the AI revolution is here, bringing with it unprecedented speed and complexity. Securing this future demands a proactive, integrated, and highly responsive approach to software supply chain security, built on foundations that are trusted, minimal, and compliant by design. The ongoing conversation about open source security will increasingly revolve around how effectively organizations can manage this accelerated reality, ensuring that innovation does not come at the expense of integrity.