Chainguard State of Trusted Open Source 2025

Keypoints

• The report is structured with sections covering usage patterns, regional differences, longtail image importance, compliance impacts, CVE risk distribution, remediation speed, and concluding with a call for broad trusted open source coverage.
• Key statistics include analysis of over 1800 container projects, 10,100 vulnerability instances, and 154 unique CVEs recorded from September to November 2025.
• Python leads as the most popular open source image globally, driven by AI workloads, followed by Node, nginx, Go, and Redis, indicating a foundational stack focused on modern infrastructure and AI development.
• Longtail images beyond the top 20 projects constitute roughly half of production usage and host 98% of all vulnerabilities remediated, emphasizing the security risks outside widely-used images.
• Compliance needs, especially FIPS usage by 44% of customers, strongly influence production image choices, underscoring regulatory pressure as a catalyst for trusted open source adoption.
• Chainguard achieves rapid remediation times for vulnerabilities, resolving Critical CVEs in under 20 hours on average and significantly faster than SLA targets.
• The report highlights a disconnect where engineering teams focus on popular projects while the majority of risk accumulates in less-visible dependencies, advocating for comprehensive vulnerability management across the entire open source supply chain.
• Trust in open source is linked to the ability to quickly remediate vulnerabilities across all images, including both popular and longtail projects, rather than just the core stack.
• The findings call for solutions like Chainguard that manage the operational burden of the longtail, ensuring scalable security coverage as open source supply chains become more complex.