Chainguard Wants to Rate Your Containers —And That's a Good Thing

In the ever-expanding labyrinth of cloud-native development, it’s easy to lose sight of what’s actually lurking inside your container images. Vulnerabilities. Unknown dependencies. Bloated software. For most DevSecOps teams, that’s not just an inconvenience—it’s a liability.

Enter Chainguard’s newest brainchild: Container Hardening Priorities, or CHPs. It’s not just another checklist. It’s a framework to evaluate the security posture of container images at build time—and yes, it rates them on a literal spice scale.

“Container images are opaque by default,” says a Chainguard spokesperson. “We wanted to enable an easier assessment of images and provide a way to communicate the security of an image, ultimately helping teams make educated decisions around what images to run in production.”

Why Another Framework?

If you’ve already been neck-deep in the alphabet soup of DevSecOps standards—SLSA, SBOMs, CIS benchmarks—you might be wondering why the world needs another framework. But CHPs isn’t trying to replace anything; it’s designed to complement the Supply-chain Levels for Software Artifacts (SLSA) framework.

SLSA provides a broad, holistic view of software supply chain security. CHPs zooms in with laser focus on the build-time characteristics of container images. Think: what’s inside the image, who built it, and how much unnecessary baggage it's carrying.

Spice Levels and Security Metrics

CHPs breaks image security into four key domains:

• Minimalism: Less is more. The fewer tools and packages, the fewer places for vulnerabilities to hide—and the fewer opportunities for attackers to "Live Off The Land."

• Provenance: Knowing who built your image and what's inside it isn’t just nice—it’s essential. Signed images and deterministic builds live here.

• Configuration and Metadata: Are you running as root? Exposing unnecessary ports? This section audits for common misconfigurations and poor security hygiene.

• Vulnerabilities: CVEs are the obvious red flags, and CHPs integrates scanning tools to call them out.

• 
  

Each criterion is ranked on a heat-based gradient. Simple tasks like image signing land you in the "Jalapeño" tier. Want reproducible builds? That’s full-on "Ghost Pepper" territory. Spicy.

Automation Meets Transparency

To make adoption frictionless, Chainguard has released a grading tool that scans container images and outputs a badge, perfect for GitHub READMEs and dashboards. For users, it’s a quick way to vet what you’re running. For maintainers, it’s a signal of trust—and a gentle nudge toward hardening your build pipeline.

“Grading can provide an easy way for you to show the security posture of your container images, while also identifying areas that you might want to improve on,” the company explains.

The Road Ahead

Right now, CHPs is tightly scoped to build-time properties. But Chainguard is already hinting at future expansions into runtime security, like enforcing read-only filesystems or sandboxing network access. Until then, the current spec is open for feedback and collaboration.

“We are actively looking for collaborators to join us in taking the specification forward,” the team says. Contributors can chime in via GitHub or email at chps@chainguard.dev.

A Quiet Revolution

With CHPs, Chainguard isn’t trying to boil the ocean. Instead, it’s offering an opinionated, approachable way to push container security from “vague best practices” to “measurable improvements.” And while the chili pepper gimmick may feel whimsical, the problems it targets are anything but.

If the future of cloud-native security looks like this—visible, composable, and a little bit spicy—we’re here for it.