We're excited to announce that Endor Labs is partnering with Chainguard to deliver an integrated, end-to-end approach to software supply chain security. Together, we're helping engineering and security teams eliminate the vulnerability debt that accumulates with every sprint, and verify with function-level precision what actually puts their applications at risk.
Why this partnership matters
The software supply chain has become the primary attack surface of our era. Supply chain attacks have risen dramatically in recent years, and the volume of new CVEs continues to grow faster than teams can respond. Meanwhile, traditional scanners flood developers with alerts, the vast majority of which turn out to be noise, creating the very alert fatigue that lets real risks slip through.
Most organizations are fighting this problem on two separate fronts: trying to reduce the number of vulnerabilities entering their environments, while simultaneously trying to triage which ones actually matter. Until now, those two problems have required two separate solutions, with no shared context between them.
This partnership closes that gap. Chainguard eliminates vulnerabilities at the source with zero-CVE, built-from-source container images, and language libraries. Endor Labs verifies risk at the code, dependency, and container layer, determining with function-level precision which vulnerabilities are genuinely reachable from real entry points in production. Together, they deliver a complete, verified chain of trust from image build to application runtime.
What's included in the integration
A verified chain of trust, surfaced in the Endor UI
When Endor Labs scans a container image, it now automatically identifies Chainguard images via labels, SBOM metadata, and registry origin. Security teams will see a Chainguard Verified trust badge directly in the Endor console, confirming that the image was built from source in the SLSA Level 3-compliant Chainguard Factory, without leaving their existing workflow.
A single, authoritative view of container vulnerability data
Endor Labs ingests and normalizes Chainguard’s advisory feed, giving teams one consolidated view of what's known, what Chainguard has already patched, and what genuinely requires attention. No more reconciling conflicting signals from multiple scanner outputs, or chasing findings that Chainguard has already resolved at the image layer.
OS-level reachability analysis applied to container findings
This is the most operationally significant capability in the integration. Rather than flagging every vulnerable OS package in an image, Endor Labs determines whether those packages are actually reachable from the running application. Packages that your workload never calls are tagged as unreachable and automatically moved out of the remediation queue.
For teams managing dozens of images across their environment, this single capability transforms the remediation burden of an AppSec team. It's the difference between thousands of open findings and a handful of things that actually require action.
What this means for your team
For security and AppSec teams: A validated, defense-in-depth supply chain posture with audit-ready SBOMs, VEX documents, and provenance attestations, not a patching treadmill. Endor's AURI provides function-level reachability evidence for every finding, so you can demonstrate to auditors and leadership exactly what is and isn't exploitable.
For DevOps and platform engineering: Fewer CVEs to chase from the start, dramatically fewer false alerts to triage, and automated guidance toward verified base images. Security becomes something embedded in the pipeline, not bolted on at the end.
For teams building with AI: AI coding agents generate code faster than humans can review it. AURI integrates directly into the developer tools those agents run in Cursor, VS Code, GitHub Copilot, and Claude Code, providing the independent security intelligence layer that AI-generated code has been missing. Chainguard ensures the underlying infrastructure that those agents build on starts clean.
For regulated and government environments: The combination delivers SLSA L3 provenance, FIPS 140-3 validated container variants, STIG-hardened images, and function-level exploitability evidence satisfying FedRAMP, PCI DSS, SOC 2, CMMC, and EU Cyber Resilience Act requirements with the artifacts both platforms produce natively.
"The attack surface with AI is growing faster than teams can manage, and Chainguard and Endor Labs are teaming up to help solve this problem. Chainguard reduces the vulnerability footprint before code ships. Endor ensures that what remains gets the right level of attention, quickly. For engineering and security teams, that means less time fighting alerts and more time building securely."
- Naveen Sharma, Global VP, Partnerships at Chainguard.
Getting started
The Endor Labs and Chainguard integration will be available shortly. Initial integration will begin with Chainguard container images, followed by Chainguard Libraries. If you're new to either platform and want to see the integration in action, book a demo with the Endor Labs team or contact Chainguard.
What's next?
When you're ready to take the next step in securing your software supply chain, here are 3 ways Endor Labs can help:
