AI agent migrates legacy Dockerfiles to low-to-zero CVE images, paving the way for ongoing artifact management across the software development lifecycle

KIRKLAND, Wash., March 17, 2026 /PRNewswire/ -- Chainguard, the trusted source for open source, today announced the Guardener, an AI agent that enables intelligent, continuous maintenance of Chainguard's trusted open source artifacts across software development and deployment workflows. Today, the Guardener automatically converts bloated, legacy Dockerfiles to use minimal, zero-CVE Chainguard container images, eliminating manual migration toil while preserving developer velocity. Over time, the Guardener will extend even more capabilities of the Chainguard Factory to Chainguard customers, making the infrastructure the company uses to build and maintain secure-by-default open source software accessible to developers to automate migrations, dependency updates, and ongoing artifact maintenance directly within their CI/CD environments.

The compounding security gap in the AI coding era

Trusted container images have become a foundational layer of the modern software development lifecycle, but organizations of all sizes struggle to move legacy, bloated distro-based images to distroless, zero-CVE defaults. Engineering teams understand that trusted images are critical, but providing a path to secure-by-default artifacts that scales across teams without introducing developer toil or refactoring overhead is a challenge. As AI accelerates software development, the number of artifacts requiring maintenance is growing exponentially, making manual migration and periodic remediation unsustainable. To keep pace, organizations need intelligent, continuous maintenance that can automatically migrate, evolve, and update software artifacts across their CI/CD systems.

"We've entered the agentic software development era, and the volume of code being generated is growing far beyond what humans can reasonably maintain," said Dan Lorenc, CEO and Co-founder, Chainguard. "The Guardener is our vision for how that changes: an intelligent system that can continuously build, update, and improve the artifacts developers and AI agents rely on. We're extending the same software factory we built to manage and harden open source at scale to everyone. Our goal is to help teams build efficient CI/CD systems they're confident in, where secure software is the default."

AI-driven Dockerfile migration with built-in validation

The Guardener intelligently gathers environmental context and insights to understand what a Dockerfile is designed to do, rebuilds it line by line, and continuously tests as it goes. The agent transforms what was once a time-intensive migration effort into a seamless, automated workflow. Key capabilities include:

AI-powered orchestration: The Guardener makes contextual decisions about package mappings and migration strategies, incrementally building and testing Dockerfiles to produce accurate, stable conversions beyond basic text replacement.Incremental validation: Dockerfiles are rebuilt layer by layer to detect divergence early, providing functional equivalence checks and detailed migration reports.GitHub or local deployment: The Guardener can be deployed via a GitHub app[1] integration or locally in your environment to provide deeper context, telemetry, and validation. The Guardener calls back to Chainguard via API, delivering accuracy that standalone tools can't match.With the Guardener, organizations can generate golden image catalogs or migrate individual Dockerfiles to use zero-CVE Chainguard base images, without requiring developers to learn new package managers or refactor workflows. What once took weeks to convert and test, the Guardener can now do in less than an hour. It also delivers verifiable post-migration insights, including comparisons of image size, vulnerability posture, and filesystem changes, providing audit trails for engineering and security teams.

"Shift left security for web and container-based infrastructures essentially failed because we put the development burden on developers and the maintenance burden on busy ops and platform teams," said James Governor, Analyst and Co-founder, RedMonk. "The only way to make developers change their habits and workflows is if you make the right thing the easy thing. That means automation and a great developer and operator experience—the focus of Chainguard's efforts in supply chain security with Guardener. Continuous maintenance is becoming mandatory as AI code generation explodes."

From migration to continuous maintenance

As developers and agents interface with the Guardener, it will evolve to unlock more value from the Chainguard Factory, including:

Ongoing build and maintenance: Move from Dockerfile conversion to custom image builds with ongoing maintenance powered by the Chainguard Factory's AI-native, hardened SLSA Level 3 pipeline, enabling automatic updates to images and dependencies.New secure-by-default artifacts: Extend to other code development artifacts like language libraries as well as CI/CD tooling like GitHub Actions, offering secure-by-default offerings and frictionless adoption paths.Predictive artifact requests: Identifying frequently installed third-party dependencies and proactively suggesting hardened, compliant versions built in the Chainguard Factory.Tracking implementation and reconciliation to runtime: Give teams better visibility into implementation progress and, as runtime insight expands, a clearer view of how those changes are reflected in production environments.Supply chain visibility: Deliver enhanced telemetry and reporting on open source artifact adoption to help security and platform teams monitor software supply chain health.Greater customization: Enable teams to tailor the agent through configurable skills and policies that support team-specific workflows without slowing developer velocity.The Guardener is available in beta. To be among the first to try it, visit https://www.chainguard.dev/guardener.

About Chainguard

Chainguard is the trusted source for open source. By delivering hardened, secure, and production-ready builds of all the open source software engineers and AI agents rely on, Chainguard helps organizations build faster, stay compliant, and eliminate risk. Its customers include Fortune 500 enterprises and global industry leaders, including Anduril, Canva, Fortinet, Hewlett Packard Enterprise, OpenAI, Snap Inc., and Snowflake. Chainguard is venture-backed by leading investors, including Amplify, IVP, Kleiner Perkins, Lightspeed Venture Partners, Mantis VC, Redpoint Ventures, Sequoia Capital, and Spark Capital. For more information, visit: https://www.chainguard.dev/

1 All trademarks are the property of their respective owners.

View original content to download multimedia:https://www.prnewswire.com/news-releases/chainguard-introduces-the-guardener-intelligent-continuous-maintenance-for-secure-software-artifacts-302715322.html

SOURCE Chainguard