Hardened base images
HarborGuard vs Chainguard Images
Chainguard sells distroless, minimal base images that ship with near-zero CVEs. HarborGuard sells the workflow that handles whatever base images you actually ship. They're complementary: many HarborGuard customers use Chainguard images as their default base, then run HarborGuard for everything else.
If you can rebuild your fleet on Chainguard images, do — fewer CVEs is always better than better CVE management. But most teams ship on Ubuntu, Alpine, RHEL, and Distroless mixed; HarborGuard is the layer that triages, patches, and compliance-reports across whatever you actually run.
When Chainguard Images wins
- You can standardize on Chainguard's image catalog.
- Your apps fit Chainguard's available base images (Node, Python, Go, Java).
When HarborGuard wins
- Your fleet runs heterogeneous base images you can't fully replace.
- You need to scan, triage, and patch images from any source — not only Chainguard.
- You need compliance evidence packs across all your images.
Capability matrix
| Capability | HarborGuard | Chainguard Images |
|---|---|---|
| What it is | Scanning + workflow platform | Hardened base image distribution |
| Scans your images | Yes (any image) | No — they sell their own images |
| Compliance reports | 10+ frameworks | FIPS 140-3 attestations on their images |
| Patching | Buildah / Copa for any image | Chainguard rebuilds their catalog daily |
| Pricing | Public per-user | Per image, sales-led |
Frequently asked questions
Are HarborGuard and Chainguard competitors?
Not really. Chainguard sells base images; HarborGuard sells the platform that scans and triages whatever images you ship. They work well together — use Chainguard images where you can, run HarborGuard against everything.
Can HarborGuard scan Chainguard images?
Yes. Trivy, Grype, and OSV-Scanner all index Chainguard's repositories by default. Most Chainguard images return zero or near-zero findings, which is the point.