Chainguard, a prominent provider of open-source software security, has released its inaugural “State of Trusted Open Source” report, offering a detailed analysis of how organizations currently utilize and secure their open-source software supply chains. Based on an extensive dataset encompassing over 1800 container image projects, 148,000 versions, and nearly half a billion builds, the report highlights critical trends in software consumption, vulnerability management, and the growing impact of regulatory compliance. The findings reveal a significant disconnect between the most popular open-source projects and where the majority of security risks actually lie, underscoring the challenge for engineering teams in managing the breadth of their software dependencies.
The report, which analyzed anonymized product usage and Common Vulnerabilities and Exposures (CVE) data from September 1 to November 30, 2025, identified several key themes. Artificial intelligence is demonstrably reshaping the baseline technology stack, with Python emerging as the most popular open-source image. Furthermore, a substantial portion of production workloads run on less-visible “longtail” projects, which paradoxically house the vast majority of security vulnerabilities. Compliance requirements, such as FIPS encryption standards, are increasingly influencing software deployment decisions, while the speed of vulnerability remediation remains a crucial factor in building trust within the open-source ecosystem.
The State of Trusted Open Source: Usage and Risk in Production
Chainguard’s analysis of its customer base reveals a clear picture of what software engineering teams are actively deploying. Foundational programming languages, runtimes, and essential infrastructure components dominate the list of most frequently used open-source images.
AI is Reshaping the Baseline Stack
Globally, Python stands out as the leading open-source image, utilized by 71.7% of Chainguard’s customers. This is largely attributed to its central role in the modern AI stack, from model development and data pipelines to production inference services. Other popular images include Node (56.5%), nginx (40.1%), Go (33.5%), and Redis (31.4%), alongside common Kubernetes ecosystem components like Grafana, Prometheus, and Istio. This foundational set of tools forms the bedrock of many organizations’ business operations.
Regional usage patterns show similar core dependencies but with variations in the “longtail” mix. While North America exhibits a consistent foundation of Python, Node, and Kubernetes tooling, regions outside North America show a more diverse portfolio that includes a notable presence of .NET runtimes and PostgreSQL. This indicates that while core requirements are similar, specific industry or regional demands can influence the broader open-source footprint.
The “longtail” of open-source images, comprising those outside the top 20 most popular, plays a critical role in production environments. These less visible images account for over half of all container pulls, making up 61.42% of the average customer’s container portfolio. This reality challenges the notion that only the most common projects require diligent security management; instead, trusted open-source strategies must extend across this broad spectrum of dependencies.
Compliance as a Catalyst for Action
Regulatory requirements are increasingly driving the adoption of hardened open-source software. The report notes that 44% of Chainguard’s customers deploy FIPS-certified images in production, a strong indicator of how compliance frameworks, such as FedRAMP, PCI DSS, and the EU’s Cyber Resilience Act, shape software decisions. Organizations working within these frameworks necessitate secure, auditable, and compliant open-source components, often mirroring their commercial workloads. The most utilized FIPS images align with the broader portfolio, such as Python-fips, Node-fips, and nginx-fips, demonstrating a demand for certified versions of essential tools.
Vulnerability Landscape: Popularity Does Not Map to Risk
A significant finding from Chainguard’s analysis is that the overwhelming majority of security vulnerabilities are concentrated outside the most popular open-source projects. In the analyzed three-month period, only 2% of the CVEs remediated by Chainguard occurred within the top 20 most popular images.
In contrast, 98% of the CVEs, totaling 10,785 instances, were found in the vast “longtail” of less frequently used projects. This disproportionate distribution means that the most substantial security burden accumulates in the less-visible parts of the software supply chain, areas that are often harder to track and patch systematically. While Medium-severity vulnerabilities are the most numerous, the operational urgency is often driven by the rapid remediation of Critical and High-severity CVEs, particularly across the entire portfolio.
Trust is Built on Remediation Speed
For organizations relying on open-source software, the speed at which vulnerabilities are addressed is a direct measure of trust. Chainguard reports an average remediation time of under 20 hours for Critical CVEs, with 63.5% resolved within 24 hours and 100% within three days. This rapid response extends to High, Medium, and Low-severity CVEs as well, significantly outpacing Chainguard’s defined service level agreements (SLAs).
Crucially, this speed is not limited to the most popular projects. For every CVE remediated in a top-20 image, Chainguard reports resolving 50 CVEs in less-popular images. This commitment to securing the “quiet majority” of the software supply chain is vital, as engineering teams often struggle to allocate resources to manage vulnerabilities in dependencies outside their core focus areas.
The implications of this report suggest a critical need for organizations to reassess their open-source security strategies. As the software supply chain continues to grow in complexity, relying solely on managing the most popular components is insufficient. The sheer volume of dependencies outside the top tier presents a substantial, yet often overlooked, security and compliance risk. Chainguard’s findings highlight the operational burden associated with securing this broad spectrum of software and emphasize the necessity of solutions that can provide consistent coverage and rapid remediation across the entire ecosystem.
Moving forward, organizations must consider how to effectively manage the security of their entire open-source footprint, particularly the less visible dependencies that hold the majority of vulnerabilities. The challenge lies in bridging the gap between developer focus on core projects and the broader security requirements of the entire software supply chain. Chainguard anticipates that this trend will continue and plans to further investigate and report on evolving usage patterns and risk distribution within the open-source landscape.
Note: This article synthesizes information from a report contributed by Ed Sawma, VP Product Marketing, and Sasha Itkis, Product Analyst at Chainguard.