Allgemein

Chainguard admitted Factory 1.0 was “brittle.” Here’s how 2.0 fixes it.

Von [email protected] Loading...
Chainguard admitted Factory 1.0 was “brittle.” Here’s how 2.0 fixes it.

The new, revised Chainguard Factory 2.0 swaps out 1.0’s fragile, event-driven pipeline with a self-healing system powered by a new open source framework called DriftlessAF.

Lots of people love the software supply-chain security company Chainguard for its secure-by-design open-source components for today’s application stacks. Who doesn’t like components that come guaranteed to have the latest CVE fixes? These are built by a process called the Chainguard Factory. This is an automated build system that continuously updates Chainguard’s safe containers, libraries, and VMs with the latest security patches. There’s only one little problem. As originally built, the “Factory” had more than its fair share of bugs. The answer? Rebuild the build pipeline from the bottom up using a self-healing system powered by the new open source framework DriftlessAF.

Factory job

Chainguard Factory’s job, according to Dustin Kirkland, Chainguard’s engineering SVP, is to constantly monitor and “build over 10,000 open source projects, and the moment that any upstream maintainer tags a new release, our automation springs into action—fetching that source code, checking the checksums, applying our build rules, rebuilding and recompiling that software, retesting that software at the package and unit level.”

That’s a huge, honking job. Chainguard now admits that their original Chainguard Factory 1.0 wasn’t up to the task. It was built on a traditional event-driven system. While functional at a smaller scale, the system became a loose confederation of fallible edge-triggered processes that struggled to keep pace with the depth and breadth of our catalog and our ambitious product promise: secure, up-to-date content with zero known CVEs.”

The result was a brittle system — “with DriftlessAF, we are moving away from complex, brittle processes,” the company writes on its blog — that was prone to errors, requiring subject matter experts (SMEs) to get their hands dirty to keep the programs running through the pipeline. This was, in a word, “unacceptable.”

So, Chainguard has replaced the old model with Chainguard Factory 2.0, a radical, AI-powered reimagining of its pipeline. This new model uses AI agents to run a reconciliation-driven drive. Factory 2.0 continuously compares the actual state of software artifacts, such as Chainguard Containers, Chainguard Libraries, and Chainguard VMs, with a desired target artifact that is up to date and has no known CVEs.

Some of these agents are derived from an AI agent programming company named — sorry for the confusion, but there it is — Factory. According to the company, Chainguard “selected Factory for its compaction engine, which collapses sprawling changes into reviewable PRs.” This compaction engine saves context between programming sessions. In other words, to quote Josh Wolf, a Chainguard Staff Engineer, “There’s all this hype nowadays about the improving memory of different agents. When you don’t have to think about context windows, you can treat [Factory] Droid like a colleague that just remembers what you’ve been talking about.”

AI bots and agents

Chainguard Factory 2.0  works by using AI bots and agents to continuously track code changes. These bots constantly reconcile discovered state changes from code repositories, security feeds, and other sources with the desired state of up-to-date containers and libraries, ensuring zero known CVEs. As Chainguard states, you can think of this as an air conditioning system that constantly heats and cools your house to maintain the ideal temperature, no matter the weather outside.

These agents work with Terraform modules that run the event-driven reconciliation infrastructure. Go language programs then direct the agents, which run on Google Gemini and Anthropic Claude.

This new system, unlike the previous platform, can work with unstructured data, orchestrate iterative workflows, and treat failed work items as safely repeatable rather than a hard stop failure. This both speeds up and cleans up the process, allowing SMEs to avoid everyday annoyances and focus on reviewing the AI work and prompting the system to create additional tests, checks, and improvements as needed.

A revolution

The end result, says Dan Lorenc, Chainguard co-founder and CEO, is “Factory. 2.0 is more than a factory. It’s a revolution. Our amazing engineering team is using AI to achieve remediation speeds we never thought possible. I’m talking about detecting and patching a vulnerability before upstream is even aware.”

He continues, “Our AI-powered pipeline is transforming raw source code into 1,000s of packages and assembling those into secure, compliant, and hardened container images at an unprecedented scale. But here’s the best part. AI powers it. Our engineers are available to help with the hard parts.”

It sounds promising. Now, the question is, “Will Chainguard Factory 2.0 and DriftlessAF live up to their promise?” There’s only one way to find out. Take them out, kick their tires, and let us know what you find.

The post Chainguard admitted Factory 1.0 was “brittle.” Here’s how 2.0 fixes it. appeared first on The New Stack.