ACCORDING to Chainguard, The State of Trusted Open Source report follows its December 2025 release and expands on insights from its container image projects, languages, and builds to reveal how teams pull, deploy, and maintain software amid AI-driven development.
The analysis covers over 2,200 unique container image projects, 33,931 total vulnerability instances, and 377 unique CVEs from December 1, 2026, through February 28, 2026, with Python remaining the most used image at 72.1% of customers and PostgreSQL usage up 73% quarter over quarter. It also notes that language ecosystems account for more than half of the top 25 images, with Chainguard Base being the fifth-most-deployed image by customer count at 36.3% across variants.
The findings show AI accelerating vulnerability discovery and remediation, reporting a 145% rise in unique CVEs and a threefold increase in fixes, while median remediation times sit at about 2.0 days. A long-tail pattern persists, with 96.2% of CVEs occurring outside the top 20 most popular images, underscoring that most risk lives in less-visible dependencies. The report also highlights compliance-driven adoption, with 42% of customers running at least one FIPS image in production.