Launching SecureBuild!
For over a decade at Replicated, we’ve helped open source software companies like TravisCI, HashiCorp, KNIME, H2O.ai, and DataStax build great businesses by delivering enterprise-ready versions of their software to the world’s most demanding customers. We've seen firsthand how strong commercial success can not only sustain open source projects but help them thrive.
Today, we’re launching SecureBuild to take the next step in that journey.
What ISVs Are Telling Us
Over and over, we’ve heard from independent software vendors (ISVs) that they’re under increasing pressure to demonstrate the security of their software supply chain. Enterprise customers are now asking harder questions, scrutinizing containers for vulnerabilities, and requiring provably secure images before approving purchases. CVEs aren’t just an annoyance, they’re a liability.
The ISVs we support want to meet these requirements, but they’re engineers and product builders first. Keeping up with shifting CVE disclosures, patching dependencies across complex build graphs, and maintaining trust with customers (all while trying to move their product forward) is a growing burden.
They need a better way to ship secure software.
Our Journey with Hardened Images (and Beyond)
We were among the first customers of Chainguard Images. Their vision of zero-CVE containers resonated immediately. They proved that enterprise buyers will pay for open source software when it's packaged with security guarantees.
But as we grew alongside them, we also saw an opportunity to take a different approach, one that’s deeply aligned with our experience in the open source ecosystem.
Chainguard open-sourced powerful tools like wolfi and melange, and we built on them. We created our own hardened build system tailored for the needs of ISVs, leveraging our secure ephemeral build environment (Compatibility Matrix) and routing artifacts through our protected registry with strict validation. We optimized for reproducibility, traceability, and the needs of commercial software vendors selling to large enterprises.
Introducing SecureBuild
SecureBuild offers zero-CVE container images for open source software, backed by a business model that’s fundamentally creator-first.
Here’s what makes it different:
- We partner directly with open source projects to be their official provider of secure images
- We rebuild everything from source using a trusted ephemeral build system and deliver through a hardened registry
- We pay 70% of direct image subscription revenue to maintainers, recognizing the value of their work and helping them sustainably support their projects
- We give enterprises a clear path to adoption through distribution tools like our Enterprise Portal and robust software delivery APIs
We believe changing an open source license to monetize isn’t the only (or best) path. Instead, we’re betting on a future where open source maintainers succeed because their software is used in production by security-conscious enterprises.
A Significant Investment, A Long-Term Commitment
SecureBuild is not a side project. It’s a major investment for us.
It’s built on core Replicated technologies, and it represents our next chapter as a company: not just enabling enterprise distribution, but actively securing the supply chain that powers it.
We’re committed to leading this new model:
- Leading how ISVs adopt secure base images
- Leading how open source projects partner with commercial platforms
- Leading how enterprises confidently deploy open source software
The demand is here, the infrastructure is ready, and the value to open source has never been more tangible.
If you’re building open source, selling software to enterprises, or responsible for securing production systems, join us. This is just the beginning.
👉 Visit securebuild.com to learn more and get started.