In March 2026, at the Assemble conference in New York, Chainguard unveiled Factory 2.0, the second generation of its platform for maintaining hardened open source images and secure software artifacts. This major upgrade replaces the original platform's traditional, event-driven, rule-based automations with a more durable system that combines standard code and agentic reconciliation bots. The new framework, enabled by artificial intelligence (AI), is designed to manage software pipelines using a controller/reconciler model to orchestrate and continuously reconcile open source artifacts across containers, libraries, GitHub Actions, and agent skills.
The Changing Threat Landscape
The revamp comes at a critical time as threat actors continue to develop new ways of spreading malware into software supply chains. Just last year, attackers hijacked tj-actions/changed-files, a popular GitHub Action on GitHub's continuous integration/continuous delivery (CI/CD) platform, and redirected GitHub Actions tags to a malicious commit. This resulted in a leak of secrets from over 23,000 repositories. More recently, adversaries uploaded malicious skills to OpenClaw registries that instructed coding agents to install the Atomic macOS Stealer on developers' machines. These incidents highlight the increasing sophistication of supply chain attacks and the urgent need for automated, continuous security measures.
Software supply chain attacks have become one of the most pressing cybersecurity challenges. The SolarWinds attack in 2020 demonstrated how a single compromised component could affect thousands of organizations. Since then, attacks have evolved to target CI/CD pipelines, which are considered the most privileged systems in software development. These pipelines have write permissions in repositories, deployment credentials, signing keys, and access to an organization's entire production infrastructure. Workflows running within them are often not inspected, and in many cases come from unknown third parties, making them a wide target for attackers.
Factory 2.0: A New Approach
Chainguard's Factory 2.0 introduces a rebuilt framework that relies on the open source DriftlessAF agentic framework to keep approved open source artifacts continuously updated and patched, rather than relying on delicate, throwaway scripts. The new control plane orchestrates and continuously reconciles open source artifacts across containers, libraries, GitHub Actions, and agent skills. This shift from event-driven automation to a durable, reconciliation-based model means that the system constantly checks and corrects the state of artifacts, ensuring they remain secure even as upstream updates or new exploits appear.
Preview of Actions, Skills, and Guardener
Chainguard Actions
Chainguard Actions are a hardened catalog of GitHub Actions and similar CI/CD workflows built and continuously maintained in Chainguard Factory 2.0. Rather than letting developers or AI agents pull random GitHub Actions from third parties, Chainguard Actions provides a nonstop, hardened catalog of vetted workflows that Chainguard re-creates from source and secures when upstream updates or new exploits appear. These are designed to eliminate risk from configurations and malware in third-party actions, as explained by Dan Lorenc, Chainguard's co-founder and CEO, at the Assemble conference.
"These are secure by default, drop-in replacements of upstream GitHub Actions for your CI/CD pipelines," Lorenc told attendees. "They let your developers and agents shift fast without taking on supply chain risk in the pipeline itself." The preview currently includes more than 100 of the top actions from the GitHub marketplace, with dozens of hardened fixes that make them easier to use without worrying about security risks.
Patrick Donahue, Chainguard's chief product officer, explains that the tool takes the actions as they exist and hardens them. "If you use an action today that logs into a particular system but it's got some potentially unsafe code, we will detect that and remediate that so the version you're running from us is much less likely to get compromised," Donahue says.
Chainguard Agent Skills
Chainguard Agent Skills is a catalog of continuously hardened, third-party AI agent skills that lets developers securely plug capabilities into AI agents. These skills are small, modular instruction sets—essentially markdown files with instructions. "Imagine if you could tap all the experts in an industry and be able to ask them questions and do stuff for you. That's essentially what the skills do," Donahue says. Third-party skills are intended to enhance the capabilities of AI agents that perform specific tasks, such as browser automation, PDF processing, SEO checking, web design, and code quality reviews. By hardening these skills, Chainguard aims to prevent attackers from injecting malicious instructions that could lead to data theft or system compromise.
Chainguard Guardener
Chainguard Guardener is an AI agent that automates the migration and maintenance of trusted open source artifacts across both development and deployment workflows. The initial release automatically converts legacy Dockerfiles into minimal, zero-CVE Chainguard container images. Future updates will add that capability to other configuration scripts. "The Guardener is our agent that we're going to put in customer environments to allow customers to use our images in a more automated way," says Ed Sawma, a Chainguard product VP.
Adeel Saeed, Kyndryl's CISO, comments on the potential impact: "Today, the adoption that we have is very manual because you go to the library, you download an image, and then you put it in your Artifactory. With the Actions piece, we can tie it back to the Git open source version control tool, while with the Guardener, we can tie it back to the whole Git repo, and automate that process. I think it will definitely help with adoption."
The Role of AI in Supply Chain Security
The use of AI agents and reconciliation bots in Factory 2.0 represents a shift from static, manual security processes to dynamic, automated ones. AI can analyze patterns, detect anomalies, and respond to threats faster than human operators. However, AI also introduces new risks, as seen in the malicious skills uploaded to OpenClaw registries. Chainguard's approach of hardening both the actions and the skills themselves mitigates these risks by ensuring that only vetted, secure components are used in pipelines and agent tasks.
The controller/reconciler model used in Factory 2.0 is inspired by Kubernetes' operator pattern, where a controller continuously monitors the state of resources and reconcilers ensure the actual state matches the desired state. This pattern is well-suited for supply chain security because it can detect and correct drift caused by upstream changes or attacks. The open source DriftlessAF framework provides the agentic capabilities, allowing the system to autonomously patch and update artifacts without human intervention.
Background on Chainguard
Chainguard was founded in 2021 by former Google engineers who worked on the open source project sigstore, a tool for signing and verifying software artifacts. The company's mission is to make software supply chain security accessible and automated. Its flagship product, Chainguard Images, provides minimal, zero-CVE container images for popular languages and frameworks. Factory 2.0 builds on this foundation by extending automation to the entire pipeline, from development to deployment.
The company has raised significant funding and counts major enterprises like Kyndryl as customers. The launch of Factory 2.0 at the Assemble conference underscores Chainguard's commitment to staying ahead of the evolving threat landscape. By combining AI, automation, and a rigorous hardening process, the company aims to set a new standard for supply chain security.
Additional Insights and Future Directions
Factory 2.0 is not a one-time fix but a continuous process. The reconciliation bots run constantly, checking for updates and vulnerabilities. This is a departure from traditional vulnerability scanning, which is often done periodically. The system can automatically apply patches or roll back changes if an update introduces a new risk. This reduces the window of exposure and ensures that artifacts are always in a known-good state.
The expansion of the Chainguard Actions catalog is another key aspect. Currently, the catalog includes over 100 actions, but the company plans to add more as the community contributes. These actions are not just limited to GitHub Actions; they also cover similar CI/CD workflows from other platforms. By providing a curated set of hardened actions, Chainguard simplifies the developer experience while maintaining security.
Agent Skills are particularly relevant as AI coding assistants become more prevalent. Tools like GitHub Copilot and others rely on agents that can execute code or commands. Without proper hardening, these agents can be manipulated into executing malicious commands. Chainguard's Agent Skills ensure that the instruction sets are safe and do not contain hidden commands or backdoors. This is crucial for enterprises that want to leverage AI without compromising security.
The Guardener AI agent automates the tedious task of migrating from legacy Dockerfiles to secure container images. Many organizations have thousands of Dockerfiles that need to be updated to use minimal images with fewer vulnerabilities. Guardener automates this process, reducing manual effort and the risk of human error. Future updates will extend this capability to other configuration files, making it a comprehensive tool for infrastructure as code security.
Industry Reception and Adoption
The initial response from industry experts and customers has been positive. Adeel Saeed's comments highlight the practical benefits for large enterprises that struggle with manual adoption of secure images. The automation provided by Factory 2.0 can significantly reduce the time and effort required to maintain a secure supply chain. Other security professionals have noted that the reconciliation model is a natural evolution of supply chain security, moving from reactive patching to proactive, continuous assurance.
The open source component of Factory 2.0, DriftlessAF, is also likely to gain traction outside of Chainguard's ecosystem. By making the framework available to the community, Chainguard encourages broader adoption and contributions. This aligns with the company's open source roots and helps build trust in the technology.
As the software supply chain continues to be a prime target for attackers, tools like Factory 2.0 will become essential. The combination of AI, automation, and a robust reconciliation model provides a defense that can adapt to the rapidly changing threat landscape. Chainguard's latest release represents a significant step forward in making supply chain security not only more effective but also more manageable for developers and security teams alike.
In summary, Chainguard Factory 2.0 introduces a new paradigm for supply chain security, leveraging AI and reconciliation to continuously harden artifacts. With Chainguard Actions, Agent Skills, and the Guardener, the platform addresses the most pressing threats facing modern software development. As attackers innovate, so must defenders, and Factory 2.0 provides a scalable, automated solution that keeps pace with the evolving landscape.
Source: Dark Reading News