Security Technical Implementation Guides (STIGs) are not optional for most Defense Department programs and agencies pursuing an Authorization to Operate (ATO) or for software vendors seeking FedRAMP authorization. But STIG scanning tooling has historically struggled with the minimalist, distroless design that makes Chainguard images attractive in the first place: no shell, no package manager, and a drastically reduced attack surface. The tools that work fine on traditional images either partially execute or fail silently on shell-less containers.

That gap is now closed. Anchore Enterprise supports STIG compliance checks for Chainguard images, including both standard shell-based images and fully distroless, shell-less variants. This capability is available to every Anchore Enterprise customer who holds the STIG entitlement, no software upgrade is required.

What Changed, and Why It Was Hard

Most STIG scanning approaches depend on an in-container shell to execute checks. That’s fine until you’re working with distroless images, which deliberately omit the shell as a hardening measure. Ironically, many of the most security-hardened images in circulation are precisely the ones that defeat shell-dependent scanners.

Anchore’s approach evaluates STIG controls at the image layer by inspecting file content, package metadata, and configuration state without requiring shell execution inside a running container. This means the same compliance workflow covers your entire Chainguard image portfolio, whether you’re using a shell-bearing developer variant or a production-grade distroless image.

The Chainguard Collaboration

This didn’t happen in isolation. Anchore and Chainguard worked directly together to validate the scanning approach against Chainguard’s image catalog. That collaboration mattered because getting STIG coverage right on distroless images requires understanding exactly how those images are constructed . Testing was focused on the FIPS images in the Chainguard catalog along with a mutual customer to ensure that no violations were detected by the tool chain.

The result is STIG coverage that reflects how Chainguard images are actually built, not a best-effort adaptation of tooling designed for a different image architecture.

As part of the effort, Chainguard has published a hardened image for cinc-auditor, the tool that runs the checks. More details can be found on their blog.

What You Can Check

Anchore Enterprise STIG support for Chainguard images covers:

  • Shell-based Chainguard images, including developer and debug variants, using standard InSpec profile execution via CINC Auditor
  • Shell-less (distroless) Chainguard images, using Anchore’s image-layer evaluation to assess controls without requiring a runtime shell
  • STIG profiles relevant to container base OS hardening, consistent with DISA guidance

The checks run as part of your existing Anchore pipeline using the same policy engine, the same reporting surface. You now have the audit trail your ATO or FedRAMP reviewers will ask for.

No Upgrade Needed

If you’re an existing Anchore Enterprise customer with the STIG entitlement, this capability is already available to you. You don’t need to upgrade Anchore Enterprise to a new version. Open the Anchore documentation for STIG policy configuration, point it at your Chainguard images, and run the checks.

If you’re not yet using the STIG entitlement, contact your Anchore account team or reach out here to add it.