Securing Open Source: Chainguard CEO Dan Lorenc on Maintaining Critical Repositories

Chainguard is implementing a strategy to maintain the stability of the internet’s foundation by forking archived but widely used open-source repositories to provide essential security maintenance and dependency upgrades.

This effort addresses a critical gap in the software supply chain where production systems often rely on open-source projects that have been abandoned by their original maintainers, leaving security tickets unanswered and vulnerabilities unpatched.

Addressing Open Source Sustainability

The initiative by Chainguard aims to combat maintainer burnout and the systemic funding problems that lead to the archiving of vital open-source projects. By providing trusted stewardship, the company seeks to reduce the risks associated with the collapse of project maintenance.

This approach is part of a broader mission to serve as a safe source for open source. Chainguard previously focused on the end of the supply chain with its zero-CVE container images, which are designed with a reduced attack surface and transparent provenance to ensure they start and remain at zero Common Vulnerabilities and Exposures (CVEs).

The Role of Chainguard Repository

On March 17, 2026, Chainguard announced the launch of Chainguard Repository. This unified repository provides a single managed experience for developers and AI agents to pull secure-by-default open-source artifacts.

The repository includes a variety of artifacts, including:

• Containers and libraries
• OS packages and virtual machine images
• CI/CD workflows
• Agent skills

These artifacts feature built-in, intelligent policies designed to enforce enterprise security standards, allowing engineering teams to govern how they use open-source software safely and compliantly.

The Impact of AI on Software Supply Chains

The urgency of these security measures is driven by the increasing speed and scale of software development fueled by AI. According to Chainguard CEO and Co-founder Dan Lorenc, AI coding tools and autonomous agents generate more code and pull in more dependencies than humans ever have previously.

AI is dramatically increasing the speed of software development for defenders and attackers alike. AI coding tools and autonomous agents are generating more code, pulling in more dependencies, and interacting with open source at a scale humans have never seen before

Dan Lorenc, CEO and Co-founder of Chainguard

The risk is amplified by the fact that attackers are utilizing AI to prototype malware, perform prompt injection, and hijack Model Context Protocols (MCPs). In 2025, nearly 455,000 new malicious packages were uploaded to Maven Central, PyPI, and npm.

Current industry data highlights the severity of the vulnerability gap: 89% of container images in production contain known vulnerabilities, and the average container carries more than 600 known CVEs.

Enterprise Security Trade-offs

Engineering teams currently face a trade-off between innovation speed and security. The proliferation of AI-driven development means that any existing vulnerability becomes more exploitable over time.

Chainguard positions its repository as the trust layer for this era, aiming to remove the necessity for companies to choose between moving fast and staying secure by providing artifacts that are secure by default.