Vulnerability Scanners and Chainguard Libraries
Details for using vulnerability scanners with Chainguard Libraries.
5 min read
CVE Remediation for Chainguard Libraries
An overview of the CVE remediation feature for Chainguard Libraries
2 min read
CVE remediation is a feature in Chainguard Libraries that provides security protection against high and critical CVEs, while medium or low CVEs are not considered. Applications often rely on older versions of libraries, but upstream maintainers may not apply and release patches for those versions. CVE remediation addresses this gap by applying vulnerability fixes from newer releases to older releases, particularly in cases where maintainers are no longer able to support and provide fixes.
CVE remediation helps reduce risk for organizations that cannot always upgrade quickly, especially when a larger upgrade to newer versions forces often disruptive changes. CVE remediation makes multiple incremental patch versions of affected older versions available, allowing a very minor upgrade that only addresses the CVE, but does not introduce other changes.
CVE remediation is available for a subset of Chainguard Libraries for Python. If you want to request CVE remediation for additional libraries, reach out to your account team.
About CVE Remediation
CVE remediation focuses on high and critical vulnerabilities. Chainguard backports fixes that are already available in the new versions of the upstream project to older versions that may no longer receive updates.
Before publishing a remediated version, Chainguard validates that the remediated version does not introduce regressions. All upstream test suites are run before and after applying the fix to confirm functional consistency. Chainguard also develops additional regression tests to validate the effectiveness of the CVE fix.
Remediated libraries are distributed through a dedicated repository. This provides the option to make remediated versions available for your development or opt out of using these versions completely and continue to use upstream versions only.
Public VEX Feed
Advisories for each CVE addressed in our remediated libraries are published via a public VEX feed at https://libraries.cgr.dev/openvex/v1/all.json. Supported scanners and your own custom tooling can use this feed to identify and recognize remediated versions.
Scanning Remediated Libraries
Chainguard works closely with scanner partners so that remediated versions are properly recognized in vulnerability reports. This ensures that teams can maintain their existing scanning workflows while benefiting from patched dependencies.
Find more general information and specifics for supported scanners in Vulnerability Scanners and Chainguard Libraries.
Last updated: 2025-09-11 00:00