The State of Trusted Open Source: 98% of CVEs Reside Outside Top Projects

The Longtail of Open Source Risk

Chainguard’s analysis of over 180,000 container image projects and almost half a billion builds reveals that the majority of security vulnerabilities exist outside of the top 20 most popular open source projects. This contradicts the typical focus on widely-used software, highlighting a substantial blind spot in modern software supply chains and exposing significant potential risk.

Why This Matters

Current security models often prioritize widely-adopted packages, assuming they receive greater scrutiny and faster patching. However, this report demonstrates the “longtail” of open source projects – less popular but critically important components – accumulates the vast majority of vulnerabilities, presenting an enormous security burden and potential for costly breaches. Failing to address risk in these less visible components can lead to widespread disruption, given that 61.42% of production workloads rely on these longtail images.

Key Insights

• 98% of CVEs outside top 20 projects: Vulnerabilities overwhelmingly exist in less-popular images.
• Python dominates AI stack: Python powers 71.7% of customer container images, driving the modern AI infrastructure.
• Rapid remediation: Chainguard remediates Critical CVEs in under 20 hours, demonstrating a strong security response.

Practical Applications

• Use Case: Organizations like those in the financial sector can leverage tools like Chainguard to enforce stricter security protocols and FIPS compliance across their entire dependency tree.
• Pitfall: Focusing solely on popular packages and neglecting longtail dependencies creates a false sense of security and leaves systems vulnerable to attacks targeting less-monitored components.

References:

• https://thehackernews.com/2026/01/the-state-of-trusted-open-source.html